Itsoknoproblembro [High Risk]

Published January 3, 2013

Itsoknoproblembro [High Risk]

The itsoknoproblembro distributed denial of service (DDoS) toolkit threatens web content management systems by infecting servers with malicious PHP scripts. This cybersecurity threat advisory includes profiles of 11 different attack signatures with detailed SNORT rules for DDoS mitigation and detection rules to identify infected web servers (bRobots). The report also includes a free log analysis tool (BroLog.py) that can be used to pinpoint which scripts were accessed, the IP address used and the specific DDoS targets, to aid sanitization efforts.

What You Need to Know

  • The eradication of the itsoknoproblembro toolkit and its attack methods will take time.
  • Many skilled experts and security teams have worked hard to reverse-engineer this kit and remove many of its infections.
  • The continued use of outdated content management system (CMS) products with vulnerabilities is a rampant problem today.
  • DDoS attackers compromise outdated web applications because it is effective.
  • It is desirable for CMS developers to make it simpler for users to update CMS products after user customization, so that users are not impeded from running the most up-to-date software by having to reconfigure an update.

Background

Throughout the fall of 2012, a very public DDoS campaign emerged that targeted multiple sectors with unprecedented levels of malicious DDoS traffic. The attacks made use of thousands of compromised web servers and a multi-tiered attack-and-control topology.

  • Unlike traditional botnets that rely on infected workstations, this toolkit utilized an advanced booter script suite that made use of hacked web servers.
  • The use of web servers allowed the attackers to harness greater bandwidth with fewer infected machines.
  • The web servers were compromised through the exploitation of publicly known web application vulnerabilities in multiple applications.
  • Analysts discovered instances of this toolkit in compromised web applications such as Joomla, WordPress, AWStats, Plesk, cPanel, phpMyFAQ and numerous others.

Attackers made use of vulnerabilities within outdated versions of the applications or exploited public vulnerabilities within third-party plugins or themes.

  • Some of the common vectors were the Joomla Blue Stork theme vulnerability, and the WordPress TimThumb vulnerability.
  • Attackers made use of SQL injection (SQLI) vulnerabilities, Remote File Inclusion (RFI) vulnerabilities and Remote Code Execution (RCE) vulnerabilities in order to drop PHP shells and file uploaders onto the web servers.
  • This approach matured into a specific file that allows for execution of dynamic code on the compromised server.

Servers that contained the itsoknoproblembro toolkit often showed evidence of multiple points of compromise and were being used for multiple malicious purposes, such as spam and phishing. This outcome suggest two possibilities:

  • Malicious actors behind the attacks were making use of previously compromised web servers that they were able to identify, or
  • Attackers coordinated with other hacker groups to pool a large number of hacked servers to push out the itsoknoproblembro toolkit.

In either case, the end result was a large number of zombied web servers that were able to generate in excess of 70Gbps of DDoS traffic at their peak.

Contact Us