Attacks/Breaches
4/30/2013
01:07 PM
50%
50%

Darkleech Apache Attacks Intensify

Security researchers discover hard-to-detect, memory-resident Linux malware compromising Apache servers and redirecting browsers to other infected sites.

Hundreds of servers running Apache HTTP server software have been infected with a new malicious Linux backdoor known as "Cdorked." The malware appears to be connected to the so-called Darkleech attack campaign that's been using compromised servers and malicious Apache modules to launch drive-by attacks that target known browser vulnerabilities.

While Darkleech has been running for at least two months, attackers appear to still be upping their game. "Linux/Cdorked is one of the most sophisticated Apache backdoors we have seen so far," said Pierre-Marc Bureau, security intelligence program manager for security firm ESET, in a blog post that details how to identify and remediate servers infected by the malware.

Cdorked uses JavaScript to attack anyone browsing the website. If the attack is successful, the malware redirects the browser to another malicious website, where a crimeware toolkit attempts to further compromise the PC. As part of the handoff, interestingly, Cdorked adds useful attack information to the invoked link, such as the URL from which the browser has been redirected and, according to Bureau, whether or not the request was originally to a JavaScript file so the server [can] provide the right [attack] payload.

[ Have a D-Link IP camera? Upgrade your firmware now. For more details, read D-Link Camera Security Flaw: Upgrade Now. ]

Unfortunately, detecting servers that are infected with Cdorked isn't straightforward. "The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis," Bureau explained, noting that the malware stores no data on a server's hard drive. "All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren't logged in normal Apache logs. This means that no command and control information is stored anywhere on the system."

Attackers access a "backdoored server" either by using a reverse shell or by using HTTP requests to relay commands. The reverse shell -- or connect-back-shellcode -- requests, however, leave traces that can help administrators identify servers that have been compromised by attackers. "[When] the shell is used by the attacker, the HTTP connection creating it is hung [the backdoor code does not implement forking]," said Bureau. "This implies that malicious shells can be found if one has access to the server and checks for long-running HTTP connections. On the other hand, the HTTP request does not appear in Apache's log file due to the way the malicious code is hooked into Apache."

But the best way to identify infected servers, Bureau said, is to scan servers for the presence of shared memory created by the malware, which will comprise about 6 MB and store the malware's state and configuration information.

The Darkleech campaign was first spotted in early March, when a security researcher at Sophos found that malicious modules added to Apache installations were using iFrames and JavaScript to redirect visitors to websites infected with the Blackhole crimeware toolkit.

Early this month, meanwhile, Cisco security researcher Mary Landesman warned that an estimated 20,000 legitimate websites that use Apache HTTP server software had been compromised as part of Darkleech. Those attacks -- as with Cdorked -- have focused on infecting vulnerable Apache installations with an SSHD backdoor. Attackers were able to load malicious modules onto the servers, which then served up drive-by attacks against website visitors.

Which Apache vulnerabilities are attackers exploiting? Cisco last week reported that Darkleech attackers may be exploiting a Horde/IMP Plesk Webmail bug that's present in unpatched versions of the Parallels Plesk control panel software used by many Web hosting providers. "By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server," said Craig Williams, who works in Cisco's Security Intelligence Operations threat research group for (SIO), in a blog post.

To help block Darkleech attacks, Williams recommended that website administrators keep their Apache server software fully patched and updated.

Update: A Parallels spokeswoman said via email that a patch is available for the Plesk vulnerability identified by Cisco. "The exploit warned about by a Cisco researcher was in the third-party Horde webmail for Plesk 9.3 and earlier (products circa 2009 and earlier), not in the Plesk control panel itself," she said. "These Plesk versions are end-of-lifed now, but a patch was promptly issued in February 2012.

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
S+¬bastien Duquette
50%
50%
S+¬bastien Duquette,
User Rank: Apprentice
5/1/2013 | 2:39:40 PM
re: Darkleech Apache Attacks Intensify
Hi, this is S+¬bastien from ESET. To clarify, this threat is not related to Darkleech which is a different beast. While both target Apache servers, they are distinct pieces of code and send visitors to different instances of the Blackhole kit. However this does not change the fact that this trend is quite concerning.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.