Researchers at Imperva have discovered an ‘experimental’ botnet that uses around 300 hijacked web servers to launch high-bandwidth DDoS attacks.
The servers are all believed to be open to an unspecified security vulnerability that allows the attacker, who calls him or herself ‘Exeman’, to infect them with a tiny, 40-line PHP script. This includes a simple GUI from which the attacker can return at a later date to enter in the IP, port and duration numbers for the attack that is to be launched.
But why servers in the first place? Botnets are built from PCs and rarely involve servers.
According to Imperva's CTO, Amachai Shulman, they have no antivirus software and offer high upload bandwidth, typically 10-50 times that of a consumer PC. Are there disadvantages to this? There are simply fewer of them, the attacker needs to find vulnerable machines using PHP, and they appear to need manual control, although Shulman did say that attacks could probably be automated using a separate script.
Imperva uncovered the attack by obtaining the server attack source code, which was simply run through Google, revealing a list of servers infected with it. The company was then able to watch as the attacker used a compromised server to launch a real denial-of-service attack on a Dutch ISP. The purpose is probably extortion-related.
The controller of the botent had used the Tor anonymity system to hide his or her incoming connections, which made it impossible to judge location. The servers themselves were lone servers at hosting companies, perhaps ones not carefully monitoring outgoing traffic patterns.
Would hosting companies or website owners know they were being hijacked by one of the Internet’s oddest botnets? Most likely, only if the authorities or third-party ISP comes calling with complaints of unwanted Internet traffic.
The botnet's GUI hints that the hijack program, and perhaps the botnet itself, was probably created to be rented out to third-parties. A message in the simple interface reminds its users “Don’t DoS yourself nub.”