Web Server Botnets and Server Farms as Attack Platforms

Are file inclusion vulnerabilitiess equivalent to remote code
execution? Are servers (both Linux and Windows) now the lower hanging
fruit rather than desktop systems?

In the February edition of the Virus Bulletin magazine, we (Kfir
Damari, Noam Rathaus and Gadi Evron (me) of Beyond Security) wrote
an article on cross platform web server malware and their massive use as
botnets, spam bots and generally as attack platforms.

Web security papers deal mostly with secure coding and application
security. In this paper we describe how these are taken to the next level
with live attacks and operational problems service providers deal with

We discuss how these attacks work using (mainly) file inclusion
vulnerabilities (RFI) and (mainly) PHP shells.
Further, we discuss how ISPs and hosting farms suffer tremendously from
this, and what can be done to combat the threat.

I'd like to write more on this here, and ask for the community's feedback
on what others see in this field and how you deal with similar issues.

Malware is often built to operate within a certain OS environment. Web
server malware is completely cross-platform (as long as a web daemon which
supports scripting can be found such as IIS, Apache, etc.). These malware
attack the web application first, and only then further compromise takes
place platform by platform, using the web server's privileges.

Most web servers are being compromised by these attacks as a result of an
insecure web application written in PHP, although attacks for other
scripting languages such as Perl and ASP are also in-the-wild.

The main reason for this is that many different PHP applications are
available online, and often freely as open source, which makes them a
popular selection for use on many web sites. Another reason for the
popularity of attacks against PHP applications is that writing securely in
PHP is very difficult, which makes most of these PHP applications
vulnerable to multiple attacks, with hundreds of new vulnerabilities
released publicly every month.

While in the past botnets used to be composed of mainly broadband end
users running Windows, today we can see more and more server botnets we
can refer to as "IIS botnets" or "Linux botnets" as a direct result of
these attacks.

One of the conclusions we reached was that although the technologies used
are not new (RFI, PHP shells, etc.) the sheer scale of the problem is
what's interesting.

In our research as detailed in the Virus Bulletin article we recognize
that vulnerabilities such as file inclusion, as simple as they may be, are
equivalent to remote code execution in effect.

Although escalation wars, which are reactive in nature, are a solution we
hate and are stuck with on botnets, spam, fraud and many other fronts,
this front of web server attacks stands completely unopposed and
controlled by the bad guys. In our research we detail how over-time, when
aggregated, most attacks come from the same IP addresses without these
ever getting blocked.

ISPs and hosting farms selling low-cost hosting services can not cope with
this threat, especially where an attack against one user running such an
application can compromise a server running 3000 other sites.

Another issue discussed was
the formation of the Web Honeynet Task Force
( http://www.webhoneynet.net/ renamed from the Web Honeynet Project to
avoid confusion with the honeynet project).

I write more about this and host the paper on my blog at SecuriTeam
( http://blogs.securiteam.com/index.php/archives/815 ). All
rights for the article itself belong to the Virus Bulletin magazine.

  Gadi Evron.