Feeds

Stealthy, malware-spewing server attack not limited to Apache

Lighttpd, Nginx variants also discovered

Website security in corporate America

A mysterious backdoor that has been used to drive traffic to malicious websites may be more widespread than previously thought, security researchers say, and it affects more web servers than just Apache.

The malware – which has been dubbed "Linux/Cdorked.A" or "Darkleech," depending whom you ask – was first spotted in the wild in late April, when it was thought to have infected hundreds of web sites running on the Apache server.

More recently, however, researchers have also found instances of the Lighttpd and Nginx web server daemons that had been similarly modified to include Cdorked code.

Compromised servers redirect incoming HTTP requests to sites hosting the infamous Blackhole exploit kit but leave no traces in the server logs to alert admins of the malicious activity. All of the data related to the backdoor is held in shared memory and never touches the disk.

Given that Apache, Lighttpd, and Nginx are all open source software, it's not surprising that the attackers behind Cdorked were able to insert their backdoor code into all three. What is curious, however, is how they managed to smuggle their Trojanized versions onto active servers – not to mention what they hope to achieve by it.

"We still don't know for sure how this malicious software was deployed on the web servers," ESET security researchers write in a blog post. "We believe the infection vector is not unique."

Initially, the researchers had thought that the attackers had managed to inject their malware onto servers by exploiting a vulnerability in cPanel, a remote administration tool that is popular among shared-hosting providers. As more and more compromised servers were discovered, however, researchers realized that only a fraction of them were running cPanel.

"One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software," the researchers write.

In other words, someone is replacing legitimate web server software with binaries containing the Cdorked backdoor, but exactly how they're doing it remains a mystery. They may even be using a different technique on each server.

Equally mysterious is just who the intended targets of the attack might be, and why. According to ESET, the Cdorked malware doesn't just blindly attack every web surfer who comes along. In fact, it operates according to a set of sophisticated yet bewildering rules.

For one thing, Cdorked keeps a list of IP addresses that have already been redirected to the Blackhole exploit, along with time stamps, to avoid redirecting the same user too often (and thus risk being detected).

The malware can also be configured with a whitelist of addresses (or address ranges) to always redirect, as well as a blacklist of addresses to never redirect. These lists can be programmed via a command and control server, again without any suspicious activity showing up in the server logs.

In one instance ESET examined, the lists were propagated with inexplicable patterns. About 50 per cent of all IPv4 addresses were blacklisted, apparently irrespective of their geographic location. At the same time, the exploit was disabled for all users whose browsers were configured to use the Belarusian, Finnish, Japanese, Kazakh, Russian, or Ukranian languages.

The systems targeted by the Cdorked malware were likewise baffling. Only users running Windows XP, Vista, or 7 were served the exploit, even though the latest Blackhole kit works on Windows 8, too. What's more, only Firefox and Internet Explorer users were attacked; users running Chrome, Opera, Safari, or other browsers were spared.

Even curiouser, a special exception was put in place for iPhone and iPad users. The Cdorked malware redirected their requests, but not to the exploit kit. Instead, they were shown a page advertising pornographic websites.

Despite these seeming incongruities, however, the ESET researchers believe Linux/Cdorked.A is a sophisticated, stealthy attack that has been underway since at least December 2012. They even believe it involves the use of compromised DNS servers to generate its redirects, something they describe as "unusual."

So far, they say, at least 400 webservers have been found to be infected with the malware, 50 of which were ranked in Alexa's top 10,000 most popular websites.

To avoid falling victim to the attack, users are advised to make sure that their browsers and plugins are all fully up-to-date – or, where possible, disabled – and to run antivirus software.

Server administrators who want to make sure their systems aren't compromised can download the latest version of ESET's detection tool, which has been updated to spot all known variants of the malware affecting Apache, Lighttpd, and Nginx. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.