Torte Botnet Infected 83k WordPress Hosting Servers

by

tortebotnet

 

It is an interesting document from the stateoftheinternet.com

https://www.stateoftheinternet.com/downloads/pdfs/SpamBot-Investigation-whitepaper-R3.pdf

This botnet had 83,000 unique infections (which include webservers running all operating systems)

And on page 6 where the researchers revealed the botnet:

Using these logged responses, we found that the size of this botnet is fairly large. Over 1,400,000 (including duplicates from the c2) probe requests were sent to the c2 and subsequently to the url it handed back. Using this method, over 78,000 unique mailer infections were identified with 56,281 confirmed as active.     Remember C2 is Command and Control (which is the server that runs the whole show)

OperatingsystembotnetC2

The team now confirmed their suspicions that this is a spam botnet.  I.e. all the systems that unwittingly were being used to send spam emails to all of us.

On page 8 the report explains how emails are sent on the botnet machines.

The botnet software tries to use phpmail first, and then will switch to raw socket connections (i.e.  specific commands that will be used to end email).  Using raw sockets ensures that more botnet software pieces will work across the many types of operating systems that the botnet resides on.

The botnet was built in a way so as to make taking the botnet down very difficult.

The control servers are the weakest and make the botnet susceptible to reduce it’s effectiveness.

It looks like the CMS (Content Management System) WordPress  is the one that was taken over the most.

 

Unfortunately (pg19) the WPScan  team listof vulnerable plugins contained 2615 plugins of which 70% could have had a vulnerability that allows the botnet. Over 16374 unique domains had problems. The top plugin with unique infections (746) is Revslider. 17 different versions were detected across 455 instances. All of these Revslider plugins were obsolete.

 

I found this interesting image from cyberkandra.com:

hackingwordpressviarevslider

Also the botnet revslider versions were 4.1.x and 4.2.x whereas the latest version is 4.6.x – obviously people are just not updating their Revslider plugin.

 

Then the report goes into what the spam contained, but not a specific email, instead an analysis of language and types of letters, that portion is not a significant finding in my opinion,

 

The most significant finding is the decentralized nature of this spam botnet, while infecting thousands of domains and servers with obsolete software… which means that at least 16374 domains have lazy or incompetent Website managers around the world.

 

 

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.