CMS Websites and FTP Servers Targeted by Brute-Force Password-Guessing Malware Called Fort Disco

We are all suggested, in one form of another, to utilize strong passwords when dealing with online accounts, website logins and even access to email and FTP servers. Conversely, a piece of malware has been cleverly designed to launch a brute-force password guessing attack against particular websites built using content management systems, such as WordPress and Joomla.

The brute-force password-guessing malware has been identified as Fort Disco, a threat documented in August by researchers from DDoS mitigation vendor Arbor Networks. Fort Disco can be similarly compared to data-theft botnets like the infamous Zeus Trojan. At the time of discovery, it was estimated that it has infected over 25,000 Windows PCs where it could guess the administrator account passwords on over 6,000 websites built with WordPress, Datalife Engine and Joomla.

The malware is known to periodically connect to a command and control (C&C) server to retrieve additional instructions it will carry out once a system is infected. The instructions usually contain a list of thousands of websites to target and passwords to be tried for access to them.

Fort Disco in its current variation has evolved from previous versions where it was brute-forcing POP3 and FTP credentials. This possesses an even greater risk to websites where cybercrooks could distribute attacks across a large number of machines.

In the past attacks against sites using popular CMS platforms, such as WordPress and Joomla, were performed using Perl or Python scripts hosted on rogue servers. With the latest Fort Disco malware the attacks may be easily distributed in several ways, such as through FTP, POP3 and other avenues that lead to a path through a vulnerable server.

Administrators and users of WordPress and other sites build off of a CMS platform, are urged to update their software and utilize methods to protect their logins, databases and server access.