An Overview of the WCMS Brute-forcing Malware Landscape
Abstract
Web Content Management Systems (WCMS) provide simple tools to manage web content that enables users with little knowledge of programming languages and web design. WCMSs have become extremely popular in the last decade. WordPress, with more than 18M websites world wide, is the most prominent WCMS. Is because of its popularity that this and other well-known WCMSs have been systematically attacked for the past years by different threat actors seeking disposable infrastructure for their attacks.
Brute-force attacks are one of the most common types of attacks against WCMSs. The goal of such an attack is to guess a valid user name and password in order to access the WCMS administration panel. Attackers especially take advantage of users choosing weak credentials. Successfully brute-forced websites are typically used for hosting C\&Cs, scams, and drive-by attacks to spread malware.
This paper presents an historical overview and current state of WCMS brute-force attacks with a focus on botnets and techniques used. We present a case of study of Sathurbot, a modular HTTP-based botnet. Finally, we discuss detection methods to identify these type of attacks.
References
[2] “Wordpress.” https://www.wordpress.com/, 2003. Last accessed 04 August 2017.
[3] “Drupal.” https://www.drupal.org/, 2000. Last accessed 04 August 2017.
[4] “Joomla.” https://www.joomla.org/, 2005. Last accessed 04 August 2017.
[5] “vBulletin.” https://www.vbulletin.com/, 2000. Last accessed 04 August 2017.
[6] “Blogger.” https://www.blogger.com/, 1999. Last accessed 04 August 2017.
[7] BuiltWith, “Wordpress usage statistics.” https://trends.builtwith.com/cms/WordPress, 2017. Last accessed 04 August 2017.
[8] SANS Internet Storm Center, “Brute distributed wordpress admin account cracking.” https://isc.sans.edu/diary/Distributed+Wordpress+admin+account+cracking/7663, 2009. Last accessed 04 August 2017.
[9] ESET, “Stantinko: A massive adware campaign operating covertly since 2012.” https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf, 2017. Last accessed 04 August 2017.
[10] DrWeb, “New trojan compromises blog sites in russia and other countries.” https://news.drweb.com/show/?i=3811, 2013. Last accessed 04 August 2017.
[11] Arbor Networks, “Fort disco bruteforce campaign.” https://www.arbornetworks.com/blog/asert/fort-disco-bruteforce-campaign/, 2013. Last accessed 04 August 2017.
[12] MalwareMustDie, “MMD-0020-2014 - Analysis of Linux/Mayhem infection: A shared DYN libs malicious ELF:libworker.so.”http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html, 2014. Last accessed 04 August 2017.
[13] A. Kovalev, K. Otrashkevich, and E. Sidorov, “MAYHEM - A HIDDEN THREAT FOR *NIX WEB SERVERS.”https://www.virusbulletin.com/uploads/pdf/magazine/2014/vb201407-Mayhem.pdf, 2014. Last accessed 04 August 2017.
[14] Voidsec, “Aethra botnet.” https://voidsec.com/aethra-botnet-en/, 2015. Last accessed 04 August2017.
[15] Kaspersky, “The shade encryptor: a double threat.”https://securelist.com/the-shade-encryptor-a-double-threat/72087/, 2015. Last accessed 04 August 2017.
[16] V. Valeros, “Make it count: An analysis of a brute forcing botnet.” https://journal.cecyf.fr/ojs/index.php/cybin/article/view/5, 2015.
[17] Wordfence, “Analysis: Methods and monetization of a botnet attacking wordpress.” https://www.wordfence.com/blog/2017/01/wordpress-botnet-monetization/, 2016. Last accessed 04 August 2017.
[18] Wordfence, “Huge increase in brute force attacks in december and what to do.” https://www.wordfence.com/blog/2016/12/how-to-protect-against-brute-force-attack/, 2016. Last accessed 04 August 2017.
[19] ESET, “Sathurbot: Distributed wordpress password attack.” http://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/, 2017. Last accessed 04 August 2017.
[20] S. Garcia, “Malware Capture Facility Project.” https://stratosphereips.org, 2017. Last accessed 04 August 2017.
[21] WordPress, “XML-RPC WordPress API.” https://codex.wordpress.org/XML-RPC_WordPress_API, 2017. Last accessed 04 August 2017.
[22] Rapid7, “Wordpress brute force and user enumeration utility.” https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_login_enum, 2017. Last accessed 04 August 2017.
Copyright (c) 2017 Anna Shirokova, Veronica Valeros

This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.