2

Yesterday we got to know of a massive brute force attack on WordPress admin accounts targeting weak passwords.

From an online source:

A botnet using more than 90,000 IP addresses to crack WordPress admin accounts may be used as part of a larger plot to disrupt online users, according to researchers.

WordPress users with the “admin” username are being targeted by a botnet consisting of compromised home PCs. The infected machines are brute-force hacking accounts, automatically inputting a list of commonly used passwords.
...

All that we know right now is that some 90,000 unique IP addresses were involved in this attack. Although the details of the attack will probably become public once the investigations get thorough, I wish to ask a generic question:

  1. Earliest bots were known to be IRC based. The latest trends of Bots has been towards P2P. What all information is sufficient or necessary for a domain expert to judge/conclude what type of Botnet was used in a particular attack- IRC, HTTP or P2P?
  2. And what conclusions can be drawn right now for the Wordpress attack?

I am not inviting speculations here, but some good answers (with good logics) in the spirit of this one by the Big Bear.

Community
  • 1
pnp
  • 1,818
  • 2
  • 26
  • 42
  • 1
    @DownVote A -1 with no comments or suggestions seems unfair :( – pnp Apr 17 '13 at 11:01
  • Fair question, there's no record anywhere i could find about which actual bot is causing the infection. There are lists of compromised/attacking IPs which might lead to the source, but the IPs probably have multiple infections anyway... – NULLZ Apr 17 '13 at 11:05
  • Closed - the type of bot net used will probably become public once the investigation is complete, but as a question here,this doesn't fit - pure speculation. – Rory Alsop Apr 17 '13 at 11:12
  • Question 1: "What information is sufficient or necessary for a domain expert to judge/conclude what type of Botnet was used in a particular attack- IRC, HTTP or P2P?" seems like a perfect fit. – anaximander Apr 17 '13 at 12:10
  • All thanks to @RoryAlsop and the Mods for re-opening the question after the edits were made :) – pnp Apr 18 '13 at 04:50

1 Answers1

3

The "IRC, HTTP or P2P" categorization of a botnet is about how the worker machines obtain their orders from the control centre. HTTP-based botnets connect to a control site whose URL they know; this is not very discrete in the long run. In particular, since this attack is assumed to be about hijacking servers to build a bigger botnet, each successfully infected server will be given a way to contact the control centre -- in the case of a main URL, the URL will be in it.

Since some big names are currently trying to understand the attack, it seems reasonable to suppose that they already set up some honeypot virtual machines, to observe the infection and observe the result. As a consequence, if the botnet is HTTP-based, they already know the villain's server address, and Special Forces / Spetnasz / SAS / Légion Étrangère are on their way to explain to him the true meaning of pain.

This does not appear to happen right now, so I suppose that the botnet is more protected than that, and uses a decentralized method of communication. This is what spy networks, terrorist organizations and resistance forces have done for many decades. "IRC" and "P2P" are two variants of that principle. In an IRC-based botnet, the network of cooperating IRC servers acts as an involuntary (but often complacent) transport medium; "P2P" will be used to qualify botnets who simply skip that crude piece of old technology and send their packets all alone. In a properly managed botnet, each infected host would know the addresses of only a few other hosts: its cell, and some hosts in adjacent cells.

My bet would go on P2P, but that's just a gut feeling.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475