Vulnerabilities / Threats
5/4/2011
11:17 AM
Connect Directly
RSS
E-Mail
50%
50%

Apache Web Server Under Stealth Attack

Malicious code uses Apache's own filter capabilities to transform the server module into a malware platform.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Online attackers seem to love to exploit Web servers, because they can add scripts that quickly and automatically add malicious links to static HTML pages via an iFrame tag, or code that attempts to exploit website visitors' PCs via drive-by downloads.

But an attack discovered on Friday, dubbed Apmod, pushes this attack technique one step further by not just infecting static Web pages. "The attack was unusual in that the Web server itself was the infection target," said Cathal Mullaney, a security response engineer at Symantec, in a blog post. "When a Web server is infected like this, every user that requests any Web page from that Web server is a potential victim. This is opposed to cases where static Web pages are infected with malicious code--only those specific pages put a user at risk of infection."

This new attack, which has been seen in the wild but doesn't currently appear to be widespread, targets the popular Apache Web Server, which runs on Windows and Linux. According to Netcraft, Apache Web Server is now used to host about 204 million websites.

The attack is innovative in that it uses Apache's built-in filter capabilities. A filter, as defined by Apache, "is a process that is applied to data that is sent or received by the server," and can be used to add functionality without rewriting the code base. Many websites use this capability to add advertisements to Web pages on the fly, while also tracking that advertising delivery to generate revenue via ad agencies.

"We have discovered a malicious module that performs identical steps in order to include links to malicious websites," said Mullaney. "All of the actions performed by the rogue module are done using legitimate code provided by the Apache API, specifically for this type of on-the-fly content generation. This is not an exploit or a hack of Apache's code base; the module uses Apache's inherent functionality to infect users and attempts to redirect them to a malicious Web page."

Interestingly, the module doesn't attempt to infect every Web page it serves. In fact, it includes a number of anti-detection capabilities, including watching for signs of administrator access or processes and avoids serving malware to search engines. Furthermore, when it does serve a Web page infected with links to malicious websites, the module then temporarily blacklists the user's IP address to avoid delivering multiple, infected Web pages, which might make its activities easier to detect. It then queries a command and control server to provide a new iFrame tag, further hampering detection.

As a result, "this is a complex and potentially difficult threat to detect accurately," said Mullaney. "As the rogue module contains a number of evasion techniques, it is possible that a system administrator would not notice the infection for some time. A further difficulty in detecting the threat is the on-the-fly nature of the infection. Since no Web pages are infected on the disk, no detections on stored HTML pages are possible."

The good news, however, is that to install this module, an attacker would need administrator-level access. "If an attacker has gained the level of control required to install this module on to your Web server, the chances are good that you have much bigger problems to worry about," he said.

Accordingly, expect existing, widespread attack techniques used against websites--such as SQL injections, which security experts suspect is how attackers recently compromised more than 100 million user accounts at Sony--to remain more prevalent.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MichaelLed
50%
50%
MichaelLed,
User Rank: Apprentice
5/25/2013 | 2:30:16 PM
re: Apache Web Server Under Stealth Attack
The number of the detected suspicious websites is the highest for Apache servers. http://quttera.com/website-sca...
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.