Attacks/Breaches

Darkleech Apache Attacks Intensify

Security researchers discover hard-to-detect, memory-resident Linux malware compromising Apache servers and redirecting browsers to other infected sites.

Hundreds of servers running Apache HTTP server software have been infected with a new malicious Linux backdoor known as "Cdorked." The malware appears to be connected to the so-called Darkleech attack campaign that's been using compromised servers and malicious Apache modules to launch drive-by attacks that target known browser vulnerabilities.

While Darkleech has been running for at least two months, attackers appear to still be upping their game. "Linux/Cdorked is one of the most sophisticated Apache backdoors we have seen so far," said Pierre-Marc Bureau, security intelligence program manager for security firm ESET, in a blog post that details how to identify and remediate servers infected by the malware.

Cdorked uses JavaScript to attack anyone browsing the website. If the attack is successful, the malware redirects the browser to another malicious website, where a crimeware toolkit attempts to further compromise the PC. As part of the handoff, interestingly, Cdorked adds useful attack information to the invoked link, such as the URL from which the browser has been redirected and, according to Bureau, whether or not the request was originally to a JavaScript file so the server [can] provide the right [attack] payload.

[ Have a D-Link IP camera? Upgrade your firmware now. For more details, read D-Link Camera Security Flaw: Upgrade Now. ]

Unfortunately, detecting servers that are infected with Cdorked isn't straightforward. "The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis," Bureau explained, noting that the malware stores no data on a server's hard drive. "All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren't logged in normal Apache logs. This means that no command and control information is stored anywhere on the system."

Attackers access a "backdoored server" either by using a reverse shell or by using HTTP requests to relay commands. The reverse shell -- or connect-back-shellcode -- requests, however, leave traces that can help administrators identify servers that have been compromised by attackers. "[When] the shell is used by the attacker, the HTTP connection creating it is hung [the backdoor code does not implement forking]," said Bureau. "This implies that malicious shells can be found if one has access to the server and checks for long-running HTTP connections. On the other hand, the HTTP request does not appear in Apache's log file due to the way the malicious code is hooked into Apache."

But the best way to identify infected servers, Bureau said, is to scan servers for the presence of shared memory created by the malware, which will comprise about 6 MB and store the malware's state and configuration information.

The Darkleech campaign was first spotted in early March, when a security researcher at Sophos found that malicious modules added to Apache installations were using iFrames and JavaScript to redirect visitors to websites infected with the Blackhole crimeware toolkit.

Early this month, meanwhile, Cisco security researcher Mary Landesman warned that an estimated 20,000 legitimate websites that use Apache HTTP server software had been compromised as part of Darkleech. Those attacks -- as with Cdorked -- have focused on infecting vulnerable Apache installations with an SSHD backdoor. Attackers were able to load malicious modules onto the servers, which then served up drive-by attacks against website visitors.

Which Apache vulnerabilities are attackers exploiting? Cisco last week reported that Darkleech attackers may be exploiting a Horde/IMP Plesk Webmail bug that's present in unpatched versions of the Parallels Plesk control panel software used by many Web hosting providers. "By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server," said Craig Williams, who works in Cisco's Security Intelligence Operations threat research group for (SIO), in a blog post.

To help block Darkleech attacks, Williams recommended that website administrators keep their Apache server software fully patched and updated.

Update: A Parallels spokeswoman said via email that a patch is available for the Plesk vulnerability identified by Cisco. "The exploit warned about by a Cisco researcher was in the third-party Horde webmail for Plesk 9.3 and earlier (products circa 2009 and earlier), not in the Plesk control panel itself," she said. "These Plesk versions are end-of-lifed now, but a patch was promptly issued in February 2012.

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
S+bastien Duquette
50%
50%
S+bastien Duquette,
User Rank: Apprentice
5/1/2013 | 2:39:40 PM
re: Darkleech Apache Attacks Intensify
Hi, this is S+bastien from ESET. To clarify, this threat is not related to Darkleech which is a different beast. While both target Apache servers, they are distinct pieces of code and send visitors to different instances of the Blackhole kit. However this does not change the fact that this trend is quite concerning.
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
CVE-2019-8919
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2019-8917
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...
CVE-2019-8908
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/g...
CVE-2019-8909
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.