New DoS attack uses Web servers as zombies

Imperva says Web server-based botnet offers more attack power than PC-based botnets.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
This screenshot shows the simple user interface the attack uses to launch attack. The attacker simply specifies which IP address to target, the length of time for the attack, and the port to target. The language at the bottom says 'don't use it on your friends' in Indonesian. Screenshot by Elinor Mills/CNET

Researchers have uncovered a botnet that uses compromised Web servers instead of the usual personal computers to launch denial-of-service (DoS) attacks.

Security firm Imperva said on Wednesday it uncovered a botnet of about 300 Web servers after the company witnessed traffic coming from a compromised server and then searched for the attack code via Google. Web servers were commonly used in such attacks a decade ago but had been replaced by the more ubiquitous Windows-based PCs, said Amichai Shulman, chief technology officer at Imperva.

In the DoS attack Imperva observed, two Web servers were targeting an unnamed hosting provider based in The Netherlands, he said. The hosting provider was aware of the situation, Shulman said.

It appeared that the Web servers were being compromised with code that exploits a vulnerability in PHP, a computer language used for processing Web pages, and it can affect servers running Apache, Microsoft Internet Information Services (IIS), or other server software, he said.

The attack employs a simple user interface that allows someone to specify the victim's IP address and port as well as the how long the attack should last. The information is submitted on a form that includes a message in Indonesian that says "don't use it on your friends," according to a screenshot provided by Shulman.

The attacker, identified as "Exeman," was hiding his or her whereabouts using the anonymity-providing Tor network, he said.

Using Web servers provides much greater bandwidth for an attack and thus requires fewer zombies than when personal computers are used and lessens the chance that the compromise will be discovered because Web servers don't typically run antivirus software, Shulman said.

"Instead of using 50 personal computers you can use a single server," he said. "To some extent, it's easier to maintain this kind of attack because there are fewer computers (involved) and there's less of a chance for the (attack) code to be detected."

Many DoS attacks are used to extort money out of Web site owners, Shulman said when asked what the motive for the attacks could be.