Must Read: Google Glass jailbreak: Let the evil commence

Topic: Security

'Sophisticated' backdoor malware opens up security blackhole in Apache web servers

Summary: Malware that hides itself from admins has been found in the wild, allowing attackers to compromise web servers and redirect users to sites hosting exploit kits.

Liam Tung

By Liam Tung |

Security researchers have found new backdoor malware targeting Apache web servers, which is designed to expose website visitors to exploit kits like the notorious Blackhole.

Researchers at security firm ESET have dubbed the malware Linux/Cdorked.A and are calling it "the most sophisticated Apache backdoor" due to its ability to evade detection. Apache web servers run about 50 percent of the world’s websites, according to UK-based internet security firm, Netcraft.

The researchers claim the malware has been installed on hundreds of compromised web servers, which have served up malicious redirects to thousands of visitors.

The malware is designed to redirect browsers that visit a compromised site to malicious sites hosting the Blackhole exploit kit, which is known to serve up a range of old and new exploits for Oracle's Java, Adobe's Flash and other popular software to take control of victim's machines.

Using compromised websites is already a popular method for infecting targets, however, compromising a web server that hosts multiple sites can give the attacker more territory in one hit. 

The backdoor technique is an evolution of an ongoing assault on Apache web servers that have been previously hit by attacks using malicious Apache modules or modified Apache configurations to serve up exploits.

Researchers at Sucuri, who have been tracking malicious Apache modules known as Darkleech, noted last week that instead of modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one, namely the backdoor called Linux/Cdorked.A.

"The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache," Pierre-Marc Bureau, ESET security intelligence program manager, said.

The web server malware has been equipped with a number of tricks to avoid detection by the administrators of a compromised web server. For example, the backdoor checks whether the referrer field of the site's visitor and if they come from a URL that contains key words like "admin", "webmaster", "support", or "cpanel" (a web hosting control panel), malicious content is not served, according to ESET.

"The backdoor's configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools. The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex," Righard Zwienenberg, a senior research fellow at ESET, added.

Topics: Security, Servers

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several Australian publications, including the Sydney Morning Herald online. He's interested primarily in how information technology impacts the way business and people communicate, trade, and consume.

Contact

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion

  • File integrity checking on web server?!

    Quoted in the article:
    "The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache,"

    OSSEC, AIDE, Integrit, Tripwire, etc. would do nicely.
    Rabid Howler Monkey
    Reply 2 Votes

  • Are the malicious httpd binaries signed?

    Have the attackers signed the rogue httpd binaries using stolen certificates, or are the operating systems on these servers so insecure that they’re actually starting daemon processes without verifying that the daemon binary and any libraries it loads have been properly signed by trusted authorities?

    If the attackers are using stolen certificates, then it should be relatively straightforward to solve the problem. Have the issuing authorities revoke the stolen certificates so that the servers will stop executing them after the next scheduled update. It will inconvenience the owners of the certificates, but people shouldn’t allow their certificates to be stolen.

    It beggars belief that, in 2013, a server operating system would default to allowing an unsigned binary to run as a daemon, or that an administrator of a web server would be stupid enough to disable signature verification. If these server operating systems and/or the configurations used on them are as laughably insecure as that, it’s tempting to say that the managers and administrators who chose to use these operating systems and configured them almost deserve to be attacked, so that maybe some sense will be knocked into their heads.

    When websites on compromised web servers are discovered, the fact that they were compromised should be widely publicised. This should include the source of the certificates (if they exist) or the fact that the servers were so insecure that they were running unsigned binaries as daemons. It’s essential to create a financial incentive for those responsible, so they either safeguard their certificates, reconfigure their servers or switch to alternative operating systems and web servers with more secure default configurations.
    WilErz
    Reply Vote

  • 'Sophisticated' backdoor malware opens up security blackhole in Apache web

    More reason not to use linux for anything. We were told it can't have malware and suddenly it does.
    Loverock-Davidson
    Reply 6 Votes

    • weird logic

      So by your logic, we should not be using Windows OS since it has the most viruses ???
      ThinkFairer8
      Reply 2 Votes

      • You do have wierd logic

        There are some viruses for Microsoft Windows but at least they are willing to admit it. People know how to take clear steps to prevent it and can run antivirus software if needed for added protection. Linux doesn't offer any of that. With linux you are on your own to figure it out. No antivirus, no malware programs so your left with a false sense of being secure. Then things like this article happen. So by your logic we should not be using linux.
        Loverock-Davidson
        Reply 2 Votes

    • Mr. Davidson

      What I find interesting is that this malware is dubbed 'Linux/Cdorked.A' rather than 'Windows/Cdorked.A'.

      One would think that the miscreants would target WAMP server implementations such as Apache2Triad, WampServer, etc. (which run on Windows) before they would target LAMP servers (which run on Linux). Or is it that there are a lot more LAMP servers out there than there are WAMP servers? Are WAMP servers really safer to run than LAMP servers?

      Alternatively, why not simply target Microsoft's IIS?
      Rabid Howler Monkey
      Reply 1 Vote

      • RHM

        Just shows how insecure linux has become with their false sense of security by claiming "linux can't get this". Its easier for these miscreants to go after a linux box which is insecure for the reason just stated than to try a Microsoft Windows box which they know is running all kinds of protection.
        Loverock-Davidson
        Reply Vote

        • Re: all kinds of protection

          Do you honestly believe the same attack vector is not possible with Windows as the OS? The modified httpd binaries are not viruses. They are normal https binaries, that just have added functionality -- to redirect you to malicious code.
          danbi
          Reply Vote

  • wow people still use apache? move to IIS already

    More secure and way more performant. It can serve the same number of users at the same sla on 2/3rds to 1/2 the physical boxes.
    Johnny Vegas
    Reply 1 Vote

  • There you go! Apache is doomed!

    Given the logic about the imminent death of Android because of malware used by some of the other ZDNet writers - extending it to this story - Apache too is doomed!
    TheWerewolf
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close