Malware that is specifically tailored to target and take control of web servers to enslave them into a botnet has been detected.
Speaking to IT Security Guru, Ryan Barnett, lead security researcher at Trustwave, said that while the company sees new files all of the time, what was distinctive about this was that the code was markedly different, and it aimed specifically at servers.
“They are the ‘super soldiers’ of a botnet as it gives the owner more horsepower and bandwidth and we see botnet owners take control of them,” he said.
“What was interesting about this was that it ran Pearl Scripts on an IRC channel and it was flagged in PHP code as there was different data to bring in files to execute on the operating system. We are not seeing this commonly as often, script kiddies just rip code off from each other. Here they had deployed new code and tactics.”
Barnett confirmed that this was only detected by one anti-virus technology and it was unique on Virus Total. Asked what he felt was new and distinctive, Barnett said that the use of an IRC channel was what caught its attention, and that this was unlikely to be the work of a sole person. The malware also came with a price tag of $125 for lifetime use.
“They would also sell for Bitcoin, and what we saw is that this would execute on the operating system and attack web applications and services to alter server privileges,” he said.
“There are different attacks on servers to end-users, and we see lots of attacks on servers but this looked to do what it wanted on the operating system and install malware on the web server module. Barnett said that malware targeted at servers is increasing but the use of Pearl Scripts and an IRC channel as a botnet was unusual here.”
Research by Trustwave believe the criminals in this case are not only building their botnet to launch future distributed denial-of-services (DDoS) attacks using this new variant of malware.
