Feeds

Stealthy, malware-spewing server attack not limited to Apache

Lighttpd, Nginx variants also discovered

High performance access to file storage

A mysterious backdoor that has been used to drive traffic to malicious websites may be more widespread than previously thought, security researchers say, and it affects more web servers than just Apache.

The malware – which has been dubbed "Linux/Cdorked.A" or "Darkleech," depending whom you ask – was first spotted in the wild in late April, when it was thought to have infected hundreds of web sites running on the Apache server.

More recently, however, researchers have also found instances of the Lighttpd and Nginx web server daemons that had been similarly modified to include Cdorked code.

Compromised servers redirect incoming HTTP requests to sites hosting the infamous Blackhole exploit kit but leave no traces in the server logs to alert admins of the malicious activity. All of the data related to the backdoor is held in shared memory and never touches the disk.

Given that Apache, Lighttpd, and Nginx are all open source software, it's not surprising that the attackers behind Cdorked were able to insert their backdoor code into all three. What is curious, however, is how they managed to smuggle their Trojanized versions onto active servers – not to mention what they hope to achieve by it.

"We still don't know for sure how this malicious software was deployed on the web servers," ESET security researchers write in a blog post. "We believe the infection vector is not unique."

Initially, the researchers had thought that the attackers had managed to inject their malware onto servers by exploiting a vulnerability in cPanel, a remote administration tool that is popular among shared-hosting providers. As more and more compromised servers were discovered, however, researchers realized that only a fraction of them were running cPanel.

"One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software," the researchers write.

In other words, someone is replacing legitimate web server software with binaries containing the Cdorked backdoor, but exactly how they're doing it remains a mystery. They may even be using a different technique on each server.

Equally mysterious is just who the intended targets of the attack might be, and why. According to ESET, the Cdorked malware doesn't just blindly attack every web surfer who comes along. In fact, it operates according to a set of sophisticated yet bewildering rules.

For one thing, Cdorked keeps a list of IP addresses that have already been redirected to the Blackhole exploit, along with time stamps, to avoid redirecting the same user too often (and thus risk being detected).

The malware can also be configured with a whitelist of addresses (or address ranges) to always redirect, as well as a blacklist of addresses to never redirect. These lists can be programmed via a command and control server, again without any suspicious activity showing up in the server logs.

In one instance ESET examined, the lists were propagated with inexplicable patterns. About 50 per cent of all IPv4 addresses were blacklisted, apparently irrespective of their geographic location. At the same time, the exploit was disabled for all users whose browsers were configured to use the Belarusian, Finnish, Japanese, Kazakh, Russian, or Ukranian languages.

The systems targeted by the Cdorked malware were likewise baffling. Only users running Windows XP, Vista, or 7 were served the exploit, even though the latest Blackhole kit works on Windows 8, too. What's more, only Firefox and Internet Explorer users were attacked; users running Chrome, Opera, Safari, or other browsers were spared.

Even curiouser, a special exception was put in place for iPhone and iPad users. The Cdorked malware redirected their requests, but not to the exploit kit. Instead, they were shown a page advertising pornographic websites.

Despite these seeming incongruities, however, the ESET researchers believe Linux/Cdorked.A is a sophisticated, stealthy attack that has been underway since at least December 2012. They even believe it involves the use of compromised DNS servers to generate its redirects, something they describe as "unusual."

So far, they say, at least 400 webservers have been found to be infected with the malware, 50 of which were ranked in Alexa's top 10,000 most popular websites.

To avoid falling victim to the attack, users are advised to make sure that their browsers and plugins are all fully up-to-date – or, where possible, disabled – and to run antivirus software.

Server administrators who want to make sure their systems aren't compromised can download the latest version of ESET's detection tool, which has been updated to spot all known variants of the malware affecting Apache, Lighttpd, and Nginx. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.