Thursday, February 14, 2013

New Botnet; Target - High End Servers


Mark Sitkowski, consultant with SteelPlateZ, posted this on LinkedIn, but it's sufficiently important to bring to everyone's attention here.

This must be taken seriously and, if you have a problem, disinfection script must be used immediately. One should monitor the traffic to any infected server, before disinfecting it, and send the results to local CERT, who are helping to trace the C&C of the criminal responsible for this mess.

eggdrop bot/psybnc - e-Knights Technologies

The feedback from ISP's with infected servers is that the mechanism is usually eggdrop bot/psybnc. Here are some stats of data centres infected by this botnet:


  • US West coast: 35
  • US East coast: 121
  • Brazil: 31
  • W. Europe: 123
  • E. Europe: 25
  • Turkey: 78
  • Russia 38:
  • India: 4
  • SE Asia: 41
  • Indonesia 18
  • Australia: 10
  • Africa: 5

CERT offices in these countries were reported, and replies were received from Latvia, HK and Austria, who have the smallest number of infected servers. Shame on you, CERT UK, CERT US, and CERT Russia. It seems you're only good for telling people how to install antivirus on their PC's. 

The dangerous aspect of this botnet, is that it attacks blocks of consecutive IP addresses, and has managed to contaminate servers in a hospital, an airport and several education networks. It's only a matter of time before it finds a public utility or government department, and does some real damage. 

If you want to make a note of the kinds of attack vectors it uses, download botnet_hack.txt, and make sure your installation isn't prone to them. Fight against a botnet is ensuing since Xmas Eve, and it's time that everyone responsible for security in a data centre should check all their servers. This is no ordinary botnet, targeting some Tom, Dick or Harry's PC. From the experiences so far, this only infects high end servers in data centres around the world. A back door is put into cPanel and WordPress installations, which are then directed to infect other servers, cycling through IP addresses on a numerical basis, so it spreads like wildfire. Any hrdocs directory with POST enabled gets the back door installed, and anything running cPanel or WordPress is vulnerable. Write to the cPanel and WordPress information sites if you want more details.

Until the last update, about 990+ zombies in 23 countries have been destroyed.




Courtesy:  LinkedIn, Mark Sitkowski-SteelPlateZ
Posted by at
Labels: , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)