Botnet Operators Infecting Servers, Not Just PCs

Botnet operators have always been able to easily infect and convert PCs into bots, but they also are increasingly going after servers -- even building networks of compromised servers.

Web servers, FTP servers, and even SSL servers are becoming prime targets for botnet operators, not as command and control servers or as pure zombies, but more as a place to host their malicious code and files, or in some cases to execute high-powered spam runs.

"FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots," says Mikko Hypponen, chief research officer at F-Secure. "Another thing we've noticed is the use of SSL servers. Sites with a valid SSL certificate get hacked and are used by drive-by-downloads."

Why SSL servers? "If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won't be able to scan for the malware in transit, making it easier to sneak in," Hypponen explains.

Shadowserver, a nonprofit that tracks botnet activity, has seen botnets building their own networks of compromised servers as sort of sub-botnets for the botnet's use. "Now we're starting to see a botnet of servers ... What's interesting is we're finding these networks of connected servers are under a certain person's control," says Andre DiMino, director of Shadowserver.

Botnet operators are using these networks of captured servers to expand their operations. The servers are used to host exploits, serve up drive-by downloads, and help them distribute more malware to the bot-infected PCs in the botnet, experts say.

For some time the bad guys have been hijacking FTP servers and using SQL injection to compromise legitimate Websites, which they in turn use to recruit more bots or to steal valuable credentials, data, or credit-card numbers. And some botnet operators are going after certain types of servers specifically to harness their horsepower and bandwidth. Joe Stewart, director of malware research for SecureWorks, says he sees bot code written in PHP and Perl that's designed for server-based bots. These bots are typically used as spamming engines: "The general purpose of these attacks is to send spam, either email spam or blog spamming," he says. "The benefits are having a large amount of bandwidth available and enhanced processing capacity to maximize the amount of spam you can send out."

The botnet operators and attackers who recruit servers have expertise in server vulnerabilities. Marc Maiffret, chief security architect at FireEye, says he hasn't seen much server-based bot activity. But he agrees that the bad guys compromise servers using techniques such as SQL injection as a way to grab more PC bots. "I think that the focus there on servers is really again more to help more easily infect a larger number of desktops," Maiffret says."You can think of this SQL/Web-spread vector as the modernized version of what use to happen with email and such many years ago."

Maiffret says he expects trusted and legitimate Websites will start to become the source of the majority of Web attacks in 2010.

FTP servers, meanwhile, have been a big target for botnets and bad guys looking for an easy mark. Some organizations use the TCP/IP file-transfer protocol to upload Web pages to the Websites or to send files that are too large to travel via email. Botnets often use stolen FTP credentials to break into other parts of the system, says Bill Ho, vice president of Internet products for Biscom. "FTP is being used to transfer bot code to other machines, servers, and users," Ho says. "If the FTP server is not secured properly and an FTP site has access to other parts of the system with vulnerabilities, the attacker can install [malware] at that location and infect and compromise that server."

And FTP tends to be one of the weakest links, anyway, says Paul French, vice president of products and solutions marketing for Axway. "FTP is pretty ubiquitous ... The reality is that FTP has been around long enough for people to know the risks associated with it. But sometimes convenience outweighs good IT security [practices]," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.