'Sophisticated' backdoor malware opens up security blackhole in Apache web servers

'Sophisticated' backdoor malware opens up security blackhole in Apache web servers

Summary: Malware that hides itself from admins has been found in the wild, allowing attackers to compromise web servers and redirect users to sites hosting exploit kits.

TOPICS: Security, Servers

Security researchers have found new backdoor malware targeting Apache web servers, which is designed to expose website visitors to exploit kits like the notorious Blackhole.

Researchers at security firm ESET have dubbed the malware Linux/Cdorked.A and are calling it "the most sophisticated Apache backdoor" due to its ability to evade detection. Apache web servers run about 50 percent of the world’s websites, according to UK-based internet security firm, Netcraft.

The researchers claim the malware has been installed on hundreds of compromised web servers, which have served up malicious redirects to thousands of visitors.

The malware is designed to redirect browsers that visit a compromised site to malicious sites hosting the Blackhole exploit kit, which is known to serve up a range of old and new exploits for Oracle's Java, Adobe's Flash and other popular software to take control of victim's machines.

Using compromised websites is already a popular method for infecting targets, however, compromising a web server that hosts multiple sites can give the attacker more territory in one hit. 

The backdoor technique is an evolution of an ongoing assault on Apache web servers that have been previously hit by attacks using malicious Apache modules or modified Apache configurations to serve up exploits.

Researchers at Sucuri, who have been tracking malicious Apache modules known as Darkleech, noted last week that instead of modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one, namely the backdoor called Linux/Cdorked.A.

"The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache," Pierre-Marc Bureau, ESET security intelligence program manager, said.

The web server malware has been equipped with a number of tricks to avoid detection by the administrators of a compromised web server. For example, the backdoor checks whether the referrer field of the site's visitor and if they come from a URL that contains key words like "admin", "webmaster", "support", or "cpanel" (a web hosting control panel), malicious content is not served, according to ESET.

"The backdoor's configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools. The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex," Righard Zwienenberg, a senior research fellow at ESET, added.

Topics: Security, Servers

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • File integrity checking on web server?!

    Quoted in the article:
    "The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache,"

    OSSEC, AIDE, Integrit, Tripwire, etc. would do nicely.
    Rabid Howler Monkey
  • Are the malicious httpd binaries signed?

    Have the attackers signed the rogue httpd binaries using stolen certificates, or are the operating systems on these servers so insecure that they’re actually starting daemon processes without verifying that the daemon binary and any libraries it loads have been properly signed by trusted authorities?

    If the attackers are using stolen certificates, then it should be relatively straightforward to solve the problem. Have the issuing authorities revoke the stolen certificates so that the servers will stop executing them after the next scheduled update. It will inconvenience the owners of the certificates, but people shouldn’t allow their certificates to be stolen.

    It beggars belief that, in 2013, a server operating system would default to allowing an unsigned binary to run as a daemon, or that an administrator of a web server would be stupid enough to disable signature verification. If these server operating systems and/or the configurations used on them are as laughably insecure as that, it’s tempting to say that the managers and administrators who chose to use these operating systems and configured them almost deserve to be attacked, so that maybe some sense will be knocked into their heads.

    When websites on compromised web servers are discovered, the fact that they were compromised should be widely publicised. This should include the source of the certificates (if they exist) or the fact that the servers were so insecure that they were running unsigned binaries as daemons. It’s essential to create a financial incentive for those responsible, so they either safeguard their certificates, reconfigure their servers or switch to alternative operating systems and web servers with more secure default configurations.
    • Are the malicious httpd binaries signed?

      Windmills do not work that way!
  • 'Sophisticated' backdoor malware opens up security blackhole in Apache web

    More reason not to use linux for anything. We were told it can't have malware and suddenly it does.
    • weird logic

      So by your logic, we should not be using Windows OS since it has the most viruses ???
      • You do have wierd logic

        There are some viruses for Microsoft Windows but at least they are willing to admit it. People know how to take clear steps to prevent it and can run antivirus software if needed for added protection. Linux doesn't offer any of that. With linux you are on your own to figure it out. No antivirus, no malware programs so your left with a false sense of being secure. Then things like this article happen. So by your logic we should not be using linux.
        • I din suggest it

          Please read my post very carefully. I'm using your logic to say that if there vulnerabilies in the system then we should not use it as suggested by you which is silly

          Should we stop using windows because there are viruses? Ofcoz not. We should use anti virus and be vigilant

          Should we stop using apache just because there's this malware now? Ofcoz not. Once again use the method suggested by the 1st reader n be vigilant

          Purely based on your logic we should not be using any OS as any system has weaknesess
    • Mr. Davidson

      What I find interesting is that this malware is dubbed 'Linux/Cdorked.A' rather than 'Windows/Cdorked.A'.

      One would think that the miscreants would target WAMP server implementations such as Apache2Triad, WampServer, etc. (which run on Windows) before they would target LAMP servers (which run on Linux). Or is it that there are a lot more LAMP servers out there than there are WAMP servers? Are WAMP servers really safer to run than LAMP servers?

      Alternatively, why not simply target Microsoft's IIS?
      Rabid Howler Monkey
      • RHM

        Just shows how insecure linux has become with their false sense of security by claiming "linux can't get this". Its easier for these miscreants to go after a linux box which is insecure for the reason just stated than to try a Microsoft Windows box which they know is running all kinds of protection.
        • Re: all kinds of protection

          Do you honestly believe the same attack vector is not possible with Windows as the OS? The modified httpd binaries are not viruses. They are normal https binaries, that just have added functionality -- to redirect you to malicious code.
  • wow people still use apache? move to IIS already

    More secure and way more performant. It can serve the same number of users at the same sla on 2/3rds to 1/2 the physical boxes.
    Johnny Vegas
  • There you go! Apache is doomed!

    Given the logic about the imminent death of Android because of malware used by some of the other ZDNet writers - extending it to this story - Apache too is doomed!