Global cyber security giant ESET discovered a Trojan designed to compromise sites running on the popular blogging platform WordPress. The Sathurbot backdoor exploit was first spotted in June of 2016. But it resurfaced in April 2017, this time orchestrating botnet attacks in the torrent ecosystem. Software torrents are especially ideal for malware distribution because they package the program installer in an executable file.
Sathurbot Attack, or Why You Shouldn’t Download Torrents
There’s many reasons not to use torrent download websites, and one of them is the risk of downloading viruses or malware. Sathurbot sets the stage for a classic Trojan attack by creating a scenario that is almost too good to be true. Looking for “free”premium content? You may find exactly what you seek, yet get more than you bargained for.
In fact, Google may show relevant results on a site you’ve never used for torrents. But hey, you’re in a rush, and the content you desire is at your fingertips with plenty of seeders. The download process should zip along quickly. Little do you know, the site has been hijacked. Whether you’re looking for a good flick or the latest software, you’ll be the next victim if you continue with the process.
Torrent users unlucky enough to fire up Sathurbot’s installer automatically load the DLL file that triggers the infection. From there, you’ll get an error message, but by then it’s too late. The infection is already going to work in the background and add your machine to the Sathurbot botnet. Upon rebooting, the malware makes contact with a command-and-control server that helps it perform a number of different actions. For instance, the Trojan can report successful installations, obtain updates that give it enhanced functionality, or even download other malware onto the infected system.
Trojan Targets WordPress Without Getting Blacklisted
Some members of the Sathurbot army are designed to spread the injection. Others are instructed to launch an assault on WordPress. Armed with a huge list of domains, the attack bots target the XM-RPC API. It will attempt to breach the login interface using brute force, a simple yet effective way to crack encrypted passwords.
A single brute force attack may attempt hundreds or thousands of username and password combinations. But Sathurbot simply tries once then moves on to the next target. This way, it will prevent its IP address from being blacklisted. This way, more attacks can be attempted in the future.
Recovery and Prevention For WordPress Admins
As of this writing, Sathurbot has infected some 20,000 computers. Because the attack has been so effective, WordPress admins are urged to be on the lookout for signs of suspicious activity. Newly published pages and directories you didn’t create, or any mentions of torrent downloads in your admin panel are dead giveaways. You can also examine your server logs for any traces of an attack or backdoor. Error codes 401 and 403, which indicate failed user authentication, are among the things that might point to the presence of Sathurbot when conducting your log analysis.
The botnet element of Sathurbot is primarily web-based. This means the steps for removal and recovery are a bit different than how you’d approach a desktop attack. Here’s a few steps you can try:
- Manually delete any suspicious sub-pages
- Use a third-party file manager to pinpoint the malicious DLL files so they can be removed as well
- If you don’t have a web-based anti-malware solution, look into an online scanning tool you can run to make sure the threat has been removed
- As a last resort, you may want to consider deleting your entire WordPress installation and restoring it from a backup.
As Always, Backups Can Save the Day
Remember that a good backup plan comes in handy whether your system is run locally or online. Backup vendors like StorageCraft offer complete solutions for data protection, whether you host data on-site, off-site or in hybrid environments. There’s one more thing to keep in mind, when discussing trojans.
Like most cyberattacks that rely on brute force attacks, Sathurbot has the best results on sites with weak passwords. And that not only includes WordPress, but Drupal and other platforms running an XM-RPC API. If you’re guilty of being lazy with your password strategy, now is the time to adopt something more secure.
Taking the time to come up with a password that is a little more complex and difficult to guess could be just enough to deter and convince hackers to give up – at least for the time being.