Attacks/Breaches
4/30/2013
01:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Darkleech Apache Attacks Intensify

Security researchers discover hard-to-detect, memory-resident Linux malware compromising Apache servers and redirecting browsers to other infected sites.

Hundreds of servers running Apache HTTP server software have been infected with a new malicious Linux backdoor known as "Cdorked." The malware appears to be connected to the so-called Darkleech attack campaign that's been using compromised servers and malicious Apache modules to launch drive-by attacks that target known browser vulnerabilities.

While Darkleech has been running for at least two months, attackers appear to still be upping their game. "Linux/Cdorked is one of the most sophisticated Apache backdoors we have seen so far," said Pierre-Marc Bureau, security intelligence program manager for security firm ESET, in a blog post that details how to identify and remediate servers infected by the malware.

Cdorked uses JavaScript to attack anyone browsing the website. If the attack is successful, the malware redirects the browser to another malicious website, where a crimeware toolkit attempts to further compromise the PC. As part of the handoff, interestingly, Cdorked adds useful attack information to the invoked link, such as the URL from which the browser has been redirected and, according to Bureau, whether or not the request was originally to a JavaScript file so the server [can] provide the right [attack] payload.

[ Have a D-Link IP camera? Upgrade your firmware now. For more details, read D-Link Camera Security Flaw: Upgrade Now. ]

Unfortunately, detecting servers that are infected with Cdorked isn't straightforward. "The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis," Bureau explained, noting that the malware stores no data on a server's hard drive. "All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren't logged in normal Apache logs. This means that no command and control information is stored anywhere on the system."

Attackers access a "backdoored server" either by using a reverse shell or by using HTTP requests to relay commands. The reverse shell -- or connect-back-shellcode -- requests, however, leave traces that can help administrators identify servers that have been compromised by attackers. "[When] the shell is used by the attacker, the HTTP connection creating it is hung [the backdoor code does not implement forking]," said Bureau. "This implies that malicious shells can be found if one has access to the server and checks for long-running HTTP connections. On the other hand, the HTTP request does not appear in Apache's log file due to the way the malicious code is hooked into Apache."

But the best way to identify infected servers, Bureau said, is to scan servers for the presence of shared memory created by the malware, which will comprise about 6 MB and store the malware's state and configuration information.

The Darkleech campaign was first spotted in early March, when a security researcher at Sophos found that malicious modules added to Apache installations were using iFrames and JavaScript to redirect visitors to websites infected with the Blackhole crimeware toolkit.

Early this month, meanwhile, Cisco security researcher Mary Landesman warned that an estimated 20,000 legitimate websites that use Apache HTTP server software had been compromised as part of Darkleech. Those attacks -- as with Cdorked -- have focused on infecting vulnerable Apache installations with an SSHD backdoor. Attackers were able to load malicious modules onto the servers, which then served up drive-by attacks against website visitors.

Which Apache vulnerabilities are attackers exploiting? Cisco last week reported that Darkleech attackers may be exploiting a Horde/IMP Plesk Webmail bug that's present in unpatched versions of the Parallels Plesk control panel software used by many Web hosting providers. "By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server," said Craig Williams, who works in Cisco's Security Intelligence Operations threat research group for (SIO), in a blog post.

To help block Darkleech attacks, Williams recommended that website administrators keep their Apache server software fully patched and updated.

Update: A Parallels spokeswoman said via email that a patch is available for the Plesk vulnerability identified by Cisco. "The exploit warned about by a Cisco researcher was in the third-party Horde webmail for Plesk 9.3 and earlier (products circa 2009 and earlier), not in the Plesk control panel itself," she said. "These Plesk versions are end-of-lifed now, but a patch was promptly issued in February 2012.

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
S+¬bastien Duquette
50%
50%
S+¬bastien Duquette,
User Rank: Apprentice
5/1/2013 | 2:39:40 PM
re: Darkleech Apache Attacks Intensify
Hi, this is S+¬bastien from ESET. To clarify, this threat is not related to Darkleech which is a different beast. While both target Apache servers, they are distinct pieces of code and send visitors to different instances of the Blackhole kit. However this does not change the fact that this trend is quite concerning.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.