Researchers at security firm Imperva have discovered a botnet consisting of web servers, rather that individual PCs, that is being used to launch more devastating denial-of-service (DDoS) attacks.
An attacker by the name of “Exeman” has infected around 400 web servers with a simple 40-line PHP script, which includes a malicious application that can be used to launch DDoS attacks, Imperva CTO Amichai Shulman told SCMagazineUS.com on Wednesday.
The application provides a dashboard and control panel that can be used to input the URL of an intended target and configure the IP, port and duration of the attack, Shulman said. The attacker may have leveraged a common flaw, called a remote file inclusion vulnerability, to compromise the servers.
The infected servers have already been used to launch a DDoS attack against a Dutch internet service provider, Shulman said. In addition, the botnet may be rented out to other cybercriminals.
Traditional DDoS attacks utilize large numbers of compromised PCs to flood a target with traffic, he explained. Servers, on the other hand, are generally more difficult to compromise than PCs, but utilizing them to launch a DDoS attack could provide a multitude of advantages.
Servers provide a greater amount of bandwidth power to launch an attack than PCs, for example, Shulman said. Attackers also have the ability to more easily multiply the volume of the ambush by adding more compromised web servers.
“A lot of targets would suffer greatly being targeted by ten servers,” Shulman said. “The numbers you need to create an effective attack are much smaller than with personal computer botnets.”
Additionally, malware can remain undetected for a longer period on servers, since many do not have anti-virus software installed on them.
DDoS attacks are prevalent and often result in service disruptions and huge losses, according to a white paper detailing best practices for DDoS mitigation, released last week by VeriSign.
The paper cites Forrester survey data from July 2009 showing that 74 percent of IT decision-makers reported experiencing one or more DDoS attacks in the past year. In nearly one out of every three attacks, hackers were able to disrupt service. Some organizations incurred millions of dollars in losses for each hour online services were down.