The PBot botnet was the most significant DDoS malware around in Q2 2017. Malicious actors employed decades-old PHP code to craft the largest attack that security firm Akamai observed in the second quarter of last year, according to its quarterly security report.
While it was comprised of a relatively small 400 nodes (compared to the tens of thousands seen with IoT botnets), the PBot botnet could yet generate a dramatic amount of attack traffic. Attackers created a mini-DDoS botnet that could launch a 75 Gbps DDoS attack. This was because the PBot malware infected web servers rather than small devices, allowing it to produce more DDoS traffic per device than an IoT botnet.
PBot node scans by Akamai revealed the presence of Apache Tomcat, in addition to the php interpreter. Apache Struts exploits were observed in the wild issuing commands that try to download and execute code in order to deliver the PBot malware. In Akamai’s words, “Although not as trivial to exploit as the hard-coded telnet passwords used to gain access and compromise cameras for the Mirai botnet, this vulnerability is just one example of how an attacker will leverage a weakness to gain control of a device or server”.
The Akamai researchers pointed out that by quickly gaining control of just 400 bots, an attacker was able to generate enough traffic to impact a victim’s servers. It led Akamai to wonder if this kind of subtle, targeted attack might be intended to avoid drawing attention and elude detection in comparison to some of the massive DDoS floods we have been seeing in the last couple years.
The first PBot attack occurred on May 8th when it targeted a financial customer. The attackers were particularly aggressive in the initial few days, with the strongest attack occurring on May 9th at 75 Gbps. All the subsequent attacks were also UDP floods, however, some packet analysis tools, also attempted to decode packets based on the target port. This indicates that the attackers may have previously conducted reconnaissance of the target network.
PBot is able to control its bots via Internet Relay Chat (irc), a classic command-and-control architecture. Once a potential bot runs the malicious PBot php code, it will automatically connect into the specified irc channel. The source code includes the settings for this communication. Once a bot connects, it becomes ready for commands, which include carrying out DDoS attacks.
Akamai noted a trend for smaller attacks, exemplified by PBot, in Q2 of 2017. While bigger attacks have recently been on the rise, the number of multi-vector sophisticated attacks has also increased. The problem of ports being open and accessible to the Internet when they needn’t be continues today, as does the issue of specific ports being targeted during a smaller DDoS episode. Applying regular patches and ensuring that unnecessary services are firewalled can help avoid access from external sources and prevent such botnets from occurring in the future.