Vulnerabilities / Threats
5/4/2011
11:17 AM
50%
50%

Apache Web Server Under Stealth Attack

Malicious code uses Apache's own filter capabilities to transform the server module into a malware platform.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Online attackers seem to love to exploit Web servers, because they can add scripts that quickly and automatically add malicious links to static HTML pages via an iFrame tag, or code that attempts to exploit website visitors' PCs via drive-by downloads.

But an attack discovered on Friday, dubbed Apmod, pushes this attack technique one step further by not just infecting static Web pages. "The attack was unusual in that the Web server itself was the infection target," said Cathal Mullaney, a security response engineer at Symantec, in a blog post. "When a Web server is infected like this, every user that requests any Web page from that Web server is a potential victim. This is opposed to cases where static Web pages are infected with malicious code--only those specific pages put a user at risk of infection."

This new attack, which has been seen in the wild but doesn't currently appear to be widespread, targets the popular Apache Web Server, which runs on Windows and Linux. According to Netcraft, Apache Web Server is now used to host about 204 million websites.

The attack is innovative in that it uses Apache's built-in filter capabilities. A filter, as defined by Apache, "is a process that is applied to data that is sent or received by the server," and can be used to add functionality without rewriting the code base. Many websites use this capability to add advertisements to Web pages on the fly, while also tracking that advertising delivery to generate revenue via ad agencies.

"We have discovered a malicious module that performs identical steps in order to include links to malicious websites," said Mullaney. "All of the actions performed by the rogue module are done using legitimate code provided by the Apache API, specifically for this type of on-the-fly content generation. This is not an exploit or a hack of Apache's code base; the module uses Apache's inherent functionality to infect users and attempts to redirect them to a malicious Web page."

Interestingly, the module doesn't attempt to infect every Web page it serves. In fact, it includes a number of anti-detection capabilities, including watching for signs of administrator access or processes and avoids serving malware to search engines. Furthermore, when it does serve a Web page infected with links to malicious websites, the module then temporarily blacklists the user's IP address to avoid delivering multiple, infected Web pages, which might make its activities easier to detect. It then queries a command and control server to provide a new iFrame tag, further hampering detection.

As a result, "this is a complex and potentially difficult threat to detect accurately," said Mullaney. "As the rogue module contains a number of evasion techniques, it is possible that a system administrator would not notice the infection for some time. A further difficulty in detecting the threat is the on-the-fly nature of the infection. Since no Web pages are infected on the disk, no detections on stored HTML pages are possible."

The good news, however, is that to install this module, an attacker would need administrator-level access. "If an attacker has gained the level of control required to install this module on to your Web server, the chances are good that you have much bigger problems to worry about," he said.

Accordingly, expect existing, widespread attack techniques used against websites--such as SQL injections, which security experts suspect is how attackers recently compromised more than 100 million user accounts at Sony--to remain more prevalent.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MichaelLed
50%
50%
MichaelLed,
User Rank: Apprentice
5/25/2013 | 2:30:16 PM
re: Apache Web Server Under Stealth Attack
The number of the detected suspicious websites is the highest for Apache servers. http://quttera.com/website-sca...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?