An Overview of the WCMS Brute-forcing Malware Landscape

  • Anna Shirokova Cognitive Threat Analytics, Cisco Systems
  • Veronica Valeros Cognitive Threat Analytics, Cisco Systems

Abstract

Web Content Management Systems (WCMS) provide simple tools to manage web content that enables users with little knowledge of programming languages and web design. WCMSs have become extremely popular in the last decade. WordPress, with more than 18M websites world wide, is the most prominent WCMS. Is because of its popularity that this and other well-known WCMSs have been systematically attacked for the past years by different threat actors seeking disposable infrastructure for their attacks.


Brute-force attacks are one of the most common types of attacks against WCMSs. The goal of such an attack is to guess a valid user name and password in order to access the WCMS administration panel. Attackers especially take advantage of users choosing weak credentials. Successfully brute-forced websites are typically used for hosting C\&Cs, scams, and drive-by attacks to spread malware.


This paper presents an historical overview and current state of WCMS brute-force attacks with a focus on botnets and techniques used. We present a case of study of Sathurbot, a modular HTTP-based botnet. Finally, we discuss detection methods to identify these type of attacks.

References

[1] Wikipedia, “Web content management system.” https://en.wikipedia.org/wiki/Web_content_mana-gement_system, 2017. Last accessed 04 August 2017.
[2] “Wordpress.” https://www.wordpress.com/, 2003. Last accessed 04 August 2017.
[3] “Drupal.” https://www.drupal.org/, 2000. Last accessed 04 August 2017.
[4] “Joomla.” https://www.joomla.org/, 2005. Last accessed 04 August 2017.
[5] “vBulletin.” https://www.vbulletin.com/, 2000. Last accessed 04 August 2017.
[6] “Blogger.” https://www.blogger.com/, 1999. Last accessed 04 August 2017.
[7] BuiltWith, “Wordpress usage statistics.” https://trends.builtwith.com/cms/WordPress, 2017. Last accessed 04 August 2017.
[8] SANS Internet Storm Center, “Brute distributed wordpress admin account cracking.” https://isc.sans.edu/diary/Distributed+Wordpress+admin+account+cracking/7663, 2009. Last accessed 04 August 2017.
[9] ESET, “Stantinko: A massive adware campaign operating covertly since 2012.” https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf, 2017. Last accessed 04 August 2017.
[10] DrWeb, “New trojan compromises blog sites in russia and other countries.” https://news.drweb.com/show/?i=3811, 2013. Last accessed 04 August 2017.
[11] Arbor Networks, “Fort disco bruteforce campaign.” https://www.arbornetworks.com/blog/asert/fort-disco-bruteforce-campaign/, 2013. Last accessed 04 August 2017.
[12] MalwareMustDie, “MMD-0020-2014 - Analysis of Linux/Mayhem infection: A shared DYN libs malicious ELF:libworker.so.”http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html, 2014. Last accessed 04 August 2017.
[13] A. Kovalev, K. Otrashkevich, and E. Sidorov, “MAYHEM - A HIDDEN THREAT FOR *NIX WEB SERVERS.”https://www.virusbulletin.com/uploads/pdf/magazine/2014/vb201407-Mayhem.pdf, 2014. Last accessed 04 August 2017.
[14] Voidsec, “Aethra botnet.” https://voidsec.com/aethra-botnet-en/, 2015. Last accessed 04 August2017.
[15] Kaspersky, “The shade encryptor: a double threat.”https://securelist.com/the-shade-encryptor-a-double-threat/72087/, 2015. Last accessed 04 August 2017.
[16] V. Valeros, “Make it count: An analysis of a brute forcing botnet.” https://journal.cecyf.fr/ojs/index.php/cybin/article/view/5, 2015.
[17] Wordfence, “Analysis: Methods and monetization of a botnet attacking wordpress.” https://www.wordfence.com/blog/2017/01/wordpress-botnet-monetization/, 2016. Last accessed 04 August 2017.
[18] Wordfence, “Huge increase in brute force attacks in december and what to do.” https://www.wordfence.com/blog/2016/12/how-to-protect-against-brute-force-attack/, 2016. Last accessed 04 August 2017.
[19] ESET, “Sathurbot: Distributed wordpress password attack.” http://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/, 2017. Last accessed 04 August 2017.
[20] S. Garcia, “Malware Capture Facility Project.” https://stratosphereips.org, 2017. Last accessed 04 August 2017.
[21] WordPress, “XML-RPC WordPress API.” https://codex.wordpress.org/XML-RPC_WordPress_API, 2017. Last accessed 04 August 2017.
[22] Rapid7, “Wordpress brute force and user enumeration utility.” https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_login_enum, 2017. Last accessed 04 August 2017.
Published
2017-12-31
How to Cite
SHIROKOVA, Anna; VALEROS, Veronica. An Overview of the WCMS Brute-forcing Malware Landscape. The Journal on Cybercrime & Digital Investigations, [S.l.], v. 3, n. 1, p. 20-29, dec. 2017. ISSN 2494-2715. Available at: <https://journal.cecyf.fr/ojs/index.php/cybin/article/view/18>. Date accessed: 26 sep. 2018. doi: https://doi.org/10.18464/cybin.v3i1.18.
Section
Conference proceedings