Security researchers have found new backdoor malware targeting Apache web servers, which is designed to expose website visitors to exploit kits like the notorious Blackhole.
Researchers at security firm ESET have dubbed the malware Linux/Cdorked.A and are calling it "the most sophisticated Apache backdoor" due to its ability to evade detection. Apache web servers run about 50 percent of the world’s websites, according to UK-based internet security firm, Netcraft.
The researchers claim the malware has been installed on hundreds of compromised web servers, which have served up malicious redirects to thousands of visitors.
The malware is designed to redirect browsers that visit a compromised site to malicious sites hosting the Blackhole exploit kit, which is known to serve up a range of old and new exploits for Oracle's Java, Adobe's Flash and other popular software to take control of victim's machines.
Using compromised websites is already a popular method for infecting targets, however, compromising a web server that hosts multiple sites can give the attacker more territory in one hit.
The backdoor technique is an evolution of an ongoing assault on Apache web servers that have been previously hit by attacks using malicious Apache modules or modified Apache configurations to serve up exploits.
Researchers at Sucuri, who have been tracking malicious Apache modules known as Darkleech, noted last week that instead of modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one, namely the backdoor called Linux/Cdorked.A.
"The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache," Pierre-Marc Bureau, ESET security intelligence program manager, said.
The web server malware has been equipped with a number of tricks to avoid detection by the administrators of a compromised web server. For example, the backdoor checks whether the referrer field of the site's visitor and if they come from a URL that contains key words like "admin", "webmaster", "support", or "cpanel" (a web hosting control panel), malicious content is not served, according to ESET.
"The backdoor's configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools. The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex," Righard Zwienenberg, a senior research fellow at ESET, added.