Brute-force malware targets email and FTP servers

  • 30 September 2013
  • 2 replies
  • 3 views

Userlevel 7
Badge +54
A piece of malware designed to launch brute-force password guessing attacks against websites built with popular content management systems like WordPress and Joomla has started being used to also attack email and FTP servers.

The malware is known as Fort Disco and was documented in August by researchers from DDoS mitigation vendor Arbor Networks who estimated that it had infected over 25,000 Windows computers and had been used to guess administrator account passwords on over 6,000 WordPress, Joomla and Datalife Engine websites.

Once it infects a computer, the malware periodically connects to a command and control (C&C) server to retrieve instructions, which usually include a list of thousands of websites to target and a password that should be tried to access their administrator accounts.

The Fort Disco malware seems to be evolving, according to a Swiss security researcher who maintains the Abuse.ch botnet tracking service. "Going down the rabbit hole, I found a sample of this particular malware that was brute-forcing POP3 instead of WordPress credentials," he said Monday in a blog post.
 
Full Article

2 replies

Userlevel 7
We talked about this in August as well.  :) 
link
I guess it's still Stayin' Alive.
Userlevel 7
The following article is a update on Brute-force malware
 
(Brute-force bot busts shonky PoS passwords)
 
By: By Darren Pauli, 10 Jul 2014
 
A botnet has compromised 60 point of sale (PoS) terminals by brute-force password attacks against poorly-secured connections, FireEye researchers say.
The trio including Nart Villeneuve, Joshua Homan and Kyle Wilhoit found 51 of the 60 popped PoS boxes were based in the United States.
The attacks were basic and targeted remote desktop protocol terminals that used shamefully simple passwords such as 'password1', 'administrator' and 'pos'.
 
The Register/ Full Read Here/ http://www.theregister.co.uk/2014/07/10/bruteforce_bot_busts_shonky_pos_passwords/

Reply