Botnets for hire likely attacked U.S. banks
Attacks on several banks were very sophisticated, security researchers say
IDG News Service - Evidence collected from a website that was recently used to flood U.S. banks with junk traffic suggests that the people behind the ongoing DDoS attack campaign against U.S. financial institutions -- thought by some to be the work of Iran -- are using botnets for hire.
The compromised website contained a PHP-based backdoor script that was regularly instructed to send numerous HTTP and UDP (User Datagram Protocol) requests to the websites of several U.S. banks, including PNC Bank, HSBC and Fifth Third Bank, Ronen Atias, a security analyst at Web security services provider Incapsula, said Tuesday in a blog post.
Atias described the compromised site as a "small and seemingly harmless general interest UK website" that recently signed up for Incapsula's services.
An analysis of the site and the server logs revealed that attackers were instructing the rogue script to send junk traffic to U.S. banking sites for limited periods of time varying between seven minutes and one hour. The commands were being renewed as soon as the banking sites showed signs of recovery, Atias said.
During breaks from attacking financial websites the backdoor script was being instructed to attack unrelated commercial and e-commerce sites. "This all led us to believe that we were monitoring the activities of a Botnet for hire," Atias said.
"The use of a Web Site as a Botnet zombie for hire did not surprise us," the security analyst wrote. "After all, this is just a part of a growing trend we're seeing in our DDoS prevention work."
"In an attempt to increase the volume of the attacks, hackers prefer web servers over personal computers," Atias said. "It makes perfect sense. These are generally stronger machines, with access to the high quality hoster's networks and many of them can be easily accessed through a security loophole in one of the sites."
Another interesting aspect of the PHP-based backdoor analyzed by Incapsula is that it had the ability to multiply on the server in order to take full advantage of its resources, Atias said. "Since this is a server on the hoster's backbone, it was potentially capable of producing much more traffic volume than a regular 'old school' botnet zombie."
In addition, the backdoor script provided an API (application programming interface) through which attackers could inject dynamic attack code in order to quickly adapt to changes in the website's security, Atias said.
The attack script on the compromised U.K. website was being controlled through another website in Turkey that belongs to a Web design company. Incapsula's researchers believe that the Turkish site had been compromised as well and was serving as a bridge between the real attackers and their website-based botnet.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Automating Cost Transparency
- By making all of the costs of running IT transparent, IT can change the way business units consume IT resources, drive down total...
- Cisco Case Study
- Before Cisco could effectively manage the business of IT, the company needed to improve the way it accounted for the cost and performance...
- IT Financial Metrics Primer
- This Executive Brief details financial and non-financial metrics that IT financial managers must use to foster conversations with business stakeholders.
- Finance - Interactive eGuide
- In this e-Guide, Computerworld, IDG News Service and IT World examine software-defined data centers, customer experience tools, and security issues that are top...
- Jyske Bank extends brand message to more than one million visitors a month
- IBM WebSphere Portal software helps bank offer a clearly differentiated digital experience All Financial IT White Papers
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade.
- Peer 1's Mission Critical Cloud: Your Cloud, Your Way Peer 1 Hosting's Mission Critical Cloud offers the ultimate in flexible customization of infrastructure, resources and support.
- Data Breaches - Don't Be a Headline Whether it's a HIPAA/HITECH, Sarbanes Oxley, Gramm-Leach-Bliley violation, or a State breach notification law, a data breach can have substantial legal and financial...
- Accelerate your innovation with IBM Bluemix™ Join us for a webcast introducing the new IBM BluemixTM. IBM Bluemix (www.bluemix.net) is a developer oriented Platform as a Service (PaaS) environment...
- Maximizing Availability for the Modern Data Center Check out this information-packed resource center for help in maximizing the availability of your data center - from overcoming challenges to choosing the...
- All Financial IT Webcasts