{"id":1598,"date":"2009-12-21T22:30:37","date_gmt":"2009-12-22T03:30:37","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/?p=1598"},"modified":"2022-12-30T12:37:02","modified_gmt":"2022-12-30T17:37:02","slug":"botnets-attacking-servers","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/botnets-attacking-servers\/","title":{"rendered":"Botnets Attacking Servers"},"content":{"rendered":"

\"Botnets Web servers, FTP servers, and even SSL servers are becoming prime targets for botnets. They are targets, not as command and control servers says Mikko Hypponen, chief research officer at F-Secure<\/a>, in a recent DarkReading<\/em><\/a> article, \u201cbut in some cases to execute high-powered spam runs<\/em>.”<\/p>\n

\"\"<\/a>Botnet operators are going after certain types of servers specifically to harness their horsepower and bandwidth says Joe Stewart, director of malware research for SecureWorks<\/a>. These bots are typically used as spamming engines: “The general purpose of these attacks is to send spam, either email spam or blog spamming,<\/em>” Stewart told DarkReading<\/em>. “The benefits are having a large amount of bandwidth available and enhanced processing capacity to maximize the amount of spam you can send out.<\/em>”<\/p>\n

Source of Web attacks<\/h3>\n

Marc Maiffret, chief security architect at FireEye<\/a> says he expects trusted and legitimate Websites will start to become the source of the majority of Web attacks in 2010. “I think that the focus there on servers is really again more to help more easily infect a larger number of desktops,<\/em>” Maiffret says.”You can think of this SQL\/Web-spread vector as the modernized version of what use to happen with email and such many years ago.”<\/p>\n

\"\"FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots<\/em>,” says Hypponen. Botnets often use stolen FTP credentials to break into other parts of the system, says Bill Ho, vice president of Internet products for Biscom<\/a>. “FTP is being used to transfer bot code to other machines, servers, and users,<\/em>” Ho says. “If the FTP server is not secured properly and an FTP site has access to other parts of the system with vulnerabilities, the attacker can install [malware] at that location and infect and compromise that server.<\/em>” \u00a0Paul French, vice president of products and solutions marketing for Axway<\/a> laments that. “FTP is pretty ubiquitous … The reality is that FTP has been around long enough for people to know the risks associated with it. But sometimes convenience outweighs good IT security<\/em> [practices].\u201d<\/p>\n

Botnets using SSL servers<\/h3>\n

Another thing we’ve noticed is the use of SSL servers. Sites with a valid SSL certificate get hacked and are used by drive-by-download<\/em>s” according to Hypponen.<\/p>\n

\"\"Why SSL servers? “If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won’t be able to scan for the malware in transit, making it easier to sneak in,<\/em>” Hypponen explains.<\/p>\n

Botnet operators are using these networks of captured servers to expand their operations. The servers are used to host exploits, serve up drive-by downloads, and help them distribute more malware to the bot-infected PCs in the botnet, DarkReading<\/em> concludes.<\/p>\n

 <\/p>\n

Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn<\/a>,\u00a0Facebook<\/a>,\u00a0and\u00a0Twitter<\/a>. Email the Bach Seat\u00a0here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

F-Secure says that web servers, FTP servers, and SSL servers are new targets for botnets in order to execute high-powered spam runs.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[3216,58,107,118,1142,3079,1143,4,106,305],"class_list":["post-1598","post","type-post","status-publish","format-standard","hentry","category-security","tag-3216","tag-botnet","tag-f-secure","tag-fireeye","tag-ftp","tag-mikko-hypponen","tag-secureworks","tag-security","tag-servers","tag-ssl"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t