Experiment finds hacked servers used to carry out DDoS, not spread malware or spam.
Experiment finds hacked servers used to carry out DDoS, not spread malware or spam.

Sucuri researcher Daniel Cid found that it only took an attacker 12 minutes to compromise an IPv4 server and shortly after, use it to launch a DDoS attack on an unsuspecting victim while performing an experiment to see how long it would take to brute force compromise IPv4-only and IPv6-only servers.

To do this, the researcher configured five cloud servers on Linode and Digital Ocean with the root password set to “password,” according to a Sept. 28 blog post. The experiment found that it didn't take long after the first IPv4 server was hacked to compromise the remaining IPv4 servers.

The IPv6 servers, however, have yet to be attacked and Cid suspected that the obscurity of IPv6 helps to minimize the noise of attacks. This was likely because it's more difficult to map the range of the IPv6 addresses which is (2^128) than it is with the range of IPv4 addresses which is (2^32), he said in the post.

“I don't think IPv6 is more secure, but the obscurity it provides does make it harder for brute force scanners to find it and attempt brute force attacks,” Cid told SCMagazine.com via emailed comments. “The IPv4 space is so small that within 12 minutes of a new IP being pushed live, it is already scanned.”

After the attacks, Cid was able to analyze the commands executed, tools downloaded, backdoors and malware which were installed during the DDoS attacks.

The attackers downloaded three tools including dos.py, down.pl and viteza.py for specific DDoS attacks, injected all hacked servers with the same type of code which Cid suspects will likely be used to carry out other DDoS attacks, the Linux/Xor.DDoS malware, and a “cron job” which ran every hour to re-enable the malware in case it gets removed, the blog said.

Cid noted that when you combine the power of the compromised servers with that of hacked IoT devices, an attacker could probably generate the power necessary to carry out attacks similar to the one of historic proportions that targeted the website of security researcher Brian Krebs.

“What really surprised me is that all servers that got compromised were used for DDoS attacks,” Cid said. “We used to be seeing them used for spam and malware distribution, but their behavior is changing and DDoS is becoming more and more common.”

Cid also said that next time he attempts an experiment like this he will be sure to disable networking right away after being compromised to limit casualties.