Botnets for hire likely attacked U.S. banks
Attacks on several banks were very sophisticated, security researchers say
IDG News Service - Evidence collected from a website that was recently used to flood U.S. banks with junk traffic suggests that the people behind the ongoing DDoS attack campaign against U.S. financial institutions -- thought by some to be the work of Iran -- are using botnets for hire.
The compromised website contained a PHP-based backdoor script that was regularly instructed to send numerous HTTP and UDP (User Datagram Protocol) requests to the websites of several U.S. banks, including PNC Bank, HSBC and Fifth Third Bank, Ronen Atias, a security analyst at Web security services provider Incapsula, said Tuesday in a blog post.
Atias described the compromised site as a "small and seemingly harmless general interest UK website" that recently signed up for Incapsula's services.
An analysis of the site and the server logs revealed that attackers were instructing the rogue script to send junk traffic to U.S. banking sites for limited periods of time varying between seven minutes and one hour. The commands were being renewed as soon as the banking sites showed signs of recovery, Atias said.
During breaks from attacking financial websites the backdoor script was being instructed to attack unrelated commercial and e-commerce sites. "This all led us to believe that we were monitoring the activities of a Botnet for hire," Atias said.
"The use of a Web Site as a Botnet zombie for hire did not surprise us," the security analyst wrote. "After all, this is just a part of a growing trend we're seeing in our DDoS prevention work."
"In an attempt to increase the volume of the attacks, hackers prefer web servers over personal computers," Atias said. "It makes perfect sense. These are generally stronger machines, with access to the high quality hoster's networks and many of them can be easily accessed through a security loophole in one of the sites."
Another interesting aspect of the PHP-based backdoor analyzed by Incapsula is that it had the ability to multiply on the server in order to take full advantage of its resources, Atias said. "Since this is a server on the hoster's backbone, it was potentially capable of producing much more traffic volume than a regular 'old school' botnet zombie."
In addition, the backdoor script provided an API (application programming interface) through which attackers could inject dynamic attack code in order to quickly adapt to changes in the website's security, Atias said.
The attack script on the compromised U.K. website was being controlled through another website in Turkey that belongs to a Web design company. Incapsula's researchers believe that the Turkish site had been compromised as well and was serving as a bridge between the real attackers and their website-based botnet.
This local bank has an old-fashioned two-story lobby and its own mainframe upstairs -- and a disaster waiting to happen.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- The Big Data Opportunity for HR and Finance
- If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- The Business Value of Continuous Delivery
- Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery
- Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets
- Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- Trends Shaping Software Management: 2014
- Most IT executives recognize the relationship between mobile computing and worker productivity, and have long issued notebook computers and other mobile devices to... All Financial IT White Papers
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt.
- IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- Leveraging Flash Storage to Accelerate Oracle Real Application Clusters Join this webinar to understand the latest solid-state storage trends, the specific applications driving solid-state storage deployments and the benefits of deploying the...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- All Financial IT Webcasts