Botnets for hire likely attacked U.S. banks
Attacks on several banks were very sophisticated, security researchers say
IDG News Service - Evidence collected from a website that was recently used to flood U.S. banks with junk traffic suggests that the people behind the ongoing DDoS attack campaign against U.S. financial institutions -- thought by some to be the work of Iran -- are using botnets for hire.
The compromised website contained a PHP-based backdoor script that was regularly instructed to send numerous HTTP and UDP (User Datagram Protocol) requests to the websites of several U.S. banks, including PNC Bank, HSBC and Fifth Third Bank, Ronen Atias, a security analyst at Web security services provider Incapsula, said Tuesday in a blog post.
Atias described the compromised site as a "small and seemingly harmless general interest UK website" that recently signed up for Incapsula's services.
An analysis of the site and the server logs revealed that attackers were instructing the rogue script to send junk traffic to U.S. banking sites for limited periods of time varying between seven minutes and one hour. The commands were being renewed as soon as the banking sites showed signs of recovery, Atias said.
During breaks from attacking financial websites the backdoor script was being instructed to attack unrelated commercial and e-commerce sites. "This all led us to believe that we were monitoring the activities of a Botnet for hire," Atias said.
"The use of a Web Site as a Botnet zombie for hire did not surprise us," the security analyst wrote. "After all, this is just a part of a growing trend we're seeing in our DDoS prevention work."
"In an attempt to increase the volume of the attacks, hackers prefer web servers over personal computers," Atias said. "It makes perfect sense. These are generally stronger machines, with access to the high quality hoster's networks and many of them can be easily accessed through a security loophole in one of the sites."
Another interesting aspect of the PHP-based backdoor analyzed by Incapsula is that it had the ability to multiply on the server in order to take full advantage of its resources, Atias said. "Since this is a server on the hoster's backbone, it was potentially capable of producing much more traffic volume than a regular 'old school' botnet zombie."
In addition, the backdoor script provided an API (application programming interface) through which attackers could inject dynamic attack code in order to quickly adapt to changes in the website's security, Atias said.
The attack script on the compromised U.K. website was being controlled through another website in Turkey that belongs to a Web design company. Incapsula's researchers believe that the Turkish site had been compromised as well and was serving as a bridge between the real attackers and their website-based botnet.
- Google I/O 2013's Coolest Products and Services
- 10 Star Trek Technologies That are Almost Here
- 19 Generations of Computer Programmers
- 25 Must-Have Technologies for SMBs
- A walking tour: 33 questions to ask about your company's security
- 15 social media scams
- The 7 elements of a successful security awareness program
Can the financial services industry prevent some of these disasters through better quality software? I believe the answer is yes!
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Protection for Every Enterprise: How BlackBerry 10 Security Works
- Get an IT-level review of BlackBerry® 10 Security, addressing data leakage protection, certified encryption, containerization and much more.
- Manage Virtualized and Cloud Environments and the New Software-defined Data Center
- Analyst report by Enterprise Management Associates on the newly announced EMC Service Assurance Suite, and how well it addresses operational challenges and market...
- How Storage Resource Management Suite Meets Today's Storage Management Challenges
- This white paper outlines the common use cases Storage Resource Management Suite addresses including comprehensive monitoring, reporting, and analysis for heterogeneous block, file,...
- Sepaton DBeXstream Enhancements
- Silverton Consulting weighs in on why Sepaton is a compelling response to the data protection challenges inherent in today's large enterprise database environments...
- Sepaton Boosts Performance and Connectivity Options
- Read why Senior ESG analyst Jason Buffington and Research Analyst Monya Keane endorse the Sepaton S2100-ES3 Series 2925 data protection appliance (version 7.0)... All Financial IT White Papers
- 3 Reasons Why Sepaton is the World's Fastest Backup Solution
- Leading analyst, Storage Switzerland learns how Sepaton backs up and deduplicates massive data volumes while maintaining the industry's fastest performance - all in...
- Enterprise File Sharing: All You Need to Know
- Security. Scalability. Control. These are just some of the many benefits of enterprise cloud file-sharing that you'll discover in this KnowledgeVault, packed with...
- Bridging HTTP and FTP with FileXpress Internet Server
- What if you could take an FTP server on your internal network, and allow external users (partners or customers) to securely access it...
- MFT and FileXpress - An Overview
- Business users and applications exchange files on a regular basis. File transfer is a core part of the flow of business activity.
- Content Analytics: Big Data Conquered, Customer Service Elevated
- For organizations looking to start a content analytics program or improve their existing capabilities, Aberdeen Group and IBM will lay out several recommendations... All Financial IT Webcasts