Feeds

Stealthy, malware-spewing server attack not limited to Apache

Lighttpd, Nginx variants also discovered

Secure remote control for conventional and virtual desktops

A mysterious backdoor that has been used to drive traffic to malicious websites may be more widespread than previously thought, security researchers say, and it affects more web servers than just Apache.

The malware – which has been dubbed "Linux/Cdorked.A" or "Darkleech," depending whom you ask – was first spotted in the wild in late April, when it was thought to have infected hundreds of web sites running on the Apache server.

More recently, however, researchers have also found instances of the Lighttpd and Nginx web server daemons that had been similarly modified to include Cdorked code.

Compromised servers redirect incoming HTTP requests to sites hosting the infamous Blackhole exploit kit but leave no traces in the server logs to alert admins of the malicious activity. All of the data related to the backdoor is held in shared memory and never touches the disk.

Given that Apache, Lighttpd, and Nginx are all open source software, it's not surprising that the attackers behind Cdorked were able to insert their backdoor code into all three. What is curious, however, is how they managed to smuggle their Trojanized versions onto active servers – not to mention what they hope to achieve by it.

"We still don't know for sure how this malicious software was deployed on the web servers," ESET security researchers write in a blog post. "We believe the infection vector is not unique."

Initially, the researchers had thought that the attackers had managed to inject their malware onto servers by exploiting a vulnerability in cPanel, a remote administration tool that is popular among shared-hosting providers. As more and more compromised servers were discovered, however, researchers realized that only a fraction of them were running cPanel.

"One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software," the researchers write.

In other words, someone is replacing legitimate web server software with binaries containing the Cdorked backdoor, but exactly how they're doing it remains a mystery. They may even be using a different technique on each server.

Equally mysterious is just who the intended targets of the attack might be, and why. According to ESET, the Cdorked malware doesn't just blindly attack every web surfer who comes along. In fact, it operates according to a set of sophisticated yet bewildering rules.

For one thing, Cdorked keeps a list of IP addresses that have already been redirected to the Blackhole exploit, along with time stamps, to avoid redirecting the same user too often (and thus risk being detected).

The malware can also be configured with a whitelist of addresses (or address ranges) to always redirect, as well as a blacklist of addresses to never redirect. These lists can be programmed via a command and control server, again without any suspicious activity showing up in the server logs.

In one instance ESET examined, the lists were propagated with inexplicable patterns. About 50 per cent of all IPv4 addresses were blacklisted, apparently irrespective of their geographic location. At the same time, the exploit was disabled for all users whose browsers were configured to use the Belarusian, Finnish, Japanese, Kazakh, Russian, or Ukranian languages.

The systems targeted by the Cdorked malware were likewise baffling. Only users running Windows XP, Vista, or 7 were served the exploit, even though the latest Blackhole kit works on Windows 8, too. What's more, only Firefox and Internet Explorer users were attacked; users running Chrome, Opera, Safari, or other browsers were spared.

Even curiouser, a special exception was put in place for iPhone and iPad users. The Cdorked malware redirected their requests, but not to the exploit kit. Instead, they were shown a page advertising pornographic websites.

Despite these seeming incongruities, however, the ESET researchers believe Linux/Cdorked.A is a sophisticated, stealthy attack that has been underway since at least December 2012. They even believe it involves the use of compromised DNS servers to generate its redirects, something they describe as "unusual."

So far, they say, at least 400 webservers have been found to be infected with the malware, 50 of which were ranked in Alexa's top 10,000 most popular websites.

To avoid falling victim to the attack, users are advised to make sure that their browsers and plugins are all fully up-to-date – or, where possible, disabled – and to run antivirus software.

Server administrators who want to make sure their systems aren't compromised can download the latest version of ESET's detection tool, which has been updated to spot all known variants of the malware affecting Apache, Lighttpd, and Nginx. ®

Beginner's guide to SSL certificates

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.