Vulnerabilities / Threats
5/4/2011
11:17 AM
50%
50%

Apache Web Server Under Stealth Attack

Malicious code uses Apache's own filter capabilities to transform the server module into a malware platform.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Online attackers seem to love to exploit Web servers, because they can add scripts that quickly and automatically add malicious links to static HTML pages via an iFrame tag, or code that attempts to exploit website visitors' PCs via drive-by downloads.

But an attack discovered on Friday, dubbed Apmod, pushes this attack technique one step further by not just infecting static Web pages. "The attack was unusual in that the Web server itself was the infection target," said Cathal Mullaney, a security response engineer at Symantec, in a blog post. "When a Web server is infected like this, every user that requests any Web page from that Web server is a potential victim. This is opposed to cases where static Web pages are infected with malicious code--only those specific pages put a user at risk of infection."

This new attack, which has been seen in the wild but doesn't currently appear to be widespread, targets the popular Apache Web Server, which runs on Windows and Linux. According to Netcraft, Apache Web Server is now used to host about 204 million websites.

The attack is innovative in that it uses Apache's built-in filter capabilities. A filter, as defined by Apache, "is a process that is applied to data that is sent or received by the server," and can be used to add functionality without rewriting the code base. Many websites use this capability to add advertisements to Web pages on the fly, while also tracking that advertising delivery to generate revenue via ad agencies.

"We have discovered a malicious module that performs identical steps in order to include links to malicious websites," said Mullaney. "All of the actions performed by the rogue module are done using legitimate code provided by the Apache API, specifically for this type of on-the-fly content generation. This is not an exploit or a hack of Apache's code base; the module uses Apache's inherent functionality to infect users and attempts to redirect them to a malicious Web page."

Interestingly, the module doesn't attempt to infect every Web page it serves. In fact, it includes a number of anti-detection capabilities, including watching for signs of administrator access or processes and avoids serving malware to search engines. Furthermore, when it does serve a Web page infected with links to malicious websites, the module then temporarily blacklists the user's IP address to avoid delivering multiple, infected Web pages, which might make its activities easier to detect. It then queries a command and control server to provide a new iFrame tag, further hampering detection.

As a result, "this is a complex and potentially difficult threat to detect accurately," said Mullaney. "As the rogue module contains a number of evasion techniques, it is possible that a system administrator would not notice the infection for some time. A further difficulty in detecting the threat is the on-the-fly nature of the infection. Since no Web pages are infected on the disk, no detections on stored HTML pages are possible."

The good news, however, is that to install this module, an attacker would need administrator-level access. "If an attacker has gained the level of control required to install this module on to your Web server, the chances are good that you have much bigger problems to worry about," he said.

Accordingly, expect existing, widespread attack techniques used against websites--such as SQL injections, which security experts suspect is how attackers recently compromised more than 100 million user accounts at Sony--to remain more prevalent.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MichaelLed
50%
50%
MichaelLed,
User Rank: Apprentice
5/25/2013 | 2:30:16 PM
re: Apache Web Server Under Stealth Attack
The number of the detected suspicious websites is the highest for Apache servers. http://quttera.com/website-sca...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1414
Published: 2015-02-27
Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.

CVE-2015-2072
Published: 2015-02-27
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or...

CVE-2015-2075
Published: 2015-02-27
SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.

CVE-2015-2076
Published: 2015-02-27
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.

CVE-2015-2101
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.