With the number of bot malware discovered and analyzed by the security industry over the years, it is easy to claim that we have seen it all. Enter
PHP_PBOT.A, a PHP script-bot sporting a routine heretofore only practiced by Trojan-downloaders: Web server upload.
As a bot, its backdoor capabilities and possible vulnerability exploits warrant a been-there-done-that. The fact, however, that it can be uploaded to target Web servers adds the oomph to its otherwise blah routine. Thus, via affected Web servers, users who access the Web page that contains this malicious script get their systems affected pronto.
This is a new twist to how bots create a zombie network. Most bots propagate via network shares. True, it’s easy to infect a whole network, but at least one machine in that network should get infected first and spark the propagation. The biggest challenge for a bot is therefore is to affect that first system.
With the use of Web servers, PHP_PBOT.A brings bot propagation from local networks to the biggest network of all — the Web. Whether that is a leap forward for bots or actually a step backward, we have yet to know.
Are script-bots on Web servers the next big bot trend? Are they the next step in the evolution of a more powerful zombie?