Botnet comprised over 150,000 Joomla servers at one point

Feb 27, 2015 13:27 GMT  ·  By

Systems running the content management system (CMS) Joomla have been targeted by cybercriminals for distributed denial-of-service (DDoS) attacks carried out leveraging a known vulnerability in a version of the Google Maps plug-in.

The latest build of the CMS component is currently patched, but not all website administrators have added the fix to their Joomla installations.

One of the bugs, discovered in February 2014, allows the plug-in to act as proxy, which is exploited by the cybercriminals for reflected DDoS.

Vulnerable systems added to ready-made DDoS tools

According to Akamai Technologies' Prolexic Security Engineering and Response Team (PLXsert), which worked with PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division), the attackers rely on ready-made tools created to abuse XML and Open Redirect functions in order to conduct the nefarious activity.

One of the utilities is DAVOSET (DDoS attacks via other sites execution tool), which automates the attack by maintaining the botnet and delivering instructions about the target, the amount of requests for each compromised machine and the necessary proxy settings.

“DAVOSET takes a list of known blind proxy scripts and services and uses them to stage a reflected GET flood against a target,” the researchers say.

The other tool is called UFONet and, just like DAVOSET, it makes available a web interface for automating and customizing the attack.

An advisory from PLXsert says that vulnerable machines are discovered through advanced search techniques (dorking) or by scanning the Internet.

Germany hosts most of the servers used in the attacks

PLXsert noticed the campaign since September 2014 and at one point determined that the botnet consisted of 150,000 compromised machines.

However, many of them seem to no longer be part of the botnet due to patches and updates being applied or lockdown through PHP or server hardening.

On the other hand, the DDoS activity from this threat actor is still continuing in 2015, as Akamai has observed eight incidents directed against its customers this year, all having Joomla signatures.

The researchers found that most of the machines leveraged in the attacks were from Germany (31.8%). Systems in the US, Poland, Netherlands and France were also used by the threat actor.

Joomla botnet (2 Images)

Web-based configuration panel for UFONet DDoS attack tool
Top five countries hosting abused Joomla servers
Open gallery