January 09, 2013, 3:51 PM — Evidence collected from a website that was recently used to flood U.S. banks with junk traffic suggests that the people behind the ongoing DDoS attack campaign against U.S. financial institutions -- thought by some to be the work of Iran -- are using botnets for hire.
The compromised website contained a PHP-based backdoor script that was regularly instructed to send numerous HTTP and UDP (User Datagram Protocol) requests to the websites of several U.S. banks, including PNC Bank, HSBC and Fifth Third Bank, Ronen Atias, a security analyst at Web security services provider Incapsula, said Tuesday in a blog post.
Atias described the compromised site as a "small and seemingly harmless general interest UK website" that recently signed up for Incapsula's services.
An analysis of the site and the server logs revealed that attackers were instructing the rogue script to send junk traffic to U.S. banking sites for limited periods of time varying between seven minutes and one hour. The commands were being renewed as soon as the banking sites showed signs of recovery, Atias said.
During breaks from attacking financial websites the backdoor script was being instructed to attack unrelated commercial and e-commerce sites. "This all led us to believe that we were monitoring the activities of a Botnet for hire," Atias said.
"The use of a Web Site as a Botnet zombie for hire did not surprise us," the security analyst wrote. "After all, this is just a part of a growing trend we're seeing in our DDoS prevention work."
"In an attempt to increase the volume of the attacks, hackers prefer web servers over personal computers," Atias said. "It makes perfect sense. These are generally stronger machines, with access to the high quality hoster's networks and many of them can be easily accessed through a security loophole in one of the sites."
Another interesting aspect of the PHP-based backdoor analyzed by Incapsula is that it had the ability to multiply on the server in order to take full advantage of its resources, Atias said. "Since this is a server on the hoster's backbone, it was potentially capable of producing much more traffic volume than a regular 'old school' botnet zombie."
In addition, the backdoor script provided an API (application programming interface) through which attackers could inject dynamic attack code in order to quickly adapt to changes in the website's security, Atias said.
The attack script on the compromised U.K. website was being controlled through another website in Turkey that belongs to a Web design company. Incapsula's researchers believe that the Turkish site had been compromised as well and was serving as a bridge between the real attackers and their website-based botnet.