Compromised websites are part of many attacks online. They can be used to host a variety of threats, ranging from simple spam pages, to redirection pages, to actual malicious files.
We recently came across a case that highlighted the scale of this threat. A backdoor (detected as BKDR_FIDOBOT.A), was being used to brute-force many WordPress blogs. It tries to log into Joomla and WordPress administrator pages at /administrator/index.php and /wp-login.php. To do this, it connects to a C&C server, where it downloads a list of sites to target as well as passwords to use. (It consistently uses admin as the user name.) Successful logins are also uploaded to the same C&C server.
Over the course of a single day, this backdoor was used to try and attack more than 17,000 various domains. This would total more than 100,000 domains in the course of a single week. This was from a single infected machine alone; with any botnet of decent size many more sites would have been at risk from this attack.
The targeted sites were mostly found in the United States, with almost two-thirds of the attacked sites being from that country. Countries in Europe made up the rest of the top five. Majority of the sites affected are either owned by individuals or small businesses, as they are the sectors likely to use WordPress and Joomla as content management system.
Figure 1. Distribution of targeted sites
This attack in itself is particularly troubling. However, when looked at a bigger picture, such massive attempts to login into numerous WordPress sites can be a possible precursor of a more menacing attack. The Stealrat botnet operation, for example, uses several compromised WordPress sites to generate spam and conceal its operations. The notorious Blackhole Exploit kit has also used several WordPress sites to redirect users to its final payload.
Threats like these highlight how important it is for site administrators to properly secure content management systems (CMSes) like WordPress. Best practices like keeping the software up to date as well as using strong passwords are a must to prevent sites from being compromised. A compromised site could affect many thousands of users, so it is much more important for administrators to secure their passwords. Settings and plug-ins to help secure CMSes are available to administrators, and they should use them appropriately.
One more interesting thing about the backdoor that was used to carry out this attack. Its file properties claim that it was published by a legitimate software vendor, as well as making a reference to the NSA’s PRISM program:
Figure 2. File properties
The Smart Protection Network was able to provide the information necessary to help us analyze this threat, as well as protect our users against it. In addition, we use the Smart Protection Network to provide multiple layers of defense against this threat – including blocking the malicious C&C server and detecting the malicious backdoor.