Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Darkleech Apache Attacks Intensify

Security researchers discover hard-to-detect, memory-resident Linux malware compromising Apache servers and redirecting browsers to other infected sites.

Hundreds of servers running Apache HTTP server software have been infected with a new malicious Linux backdoor known as "Cdorked." The malware appears to be connected to the so-called Darkleech attack campaign that's been using compromised servers and malicious Apache modules to launch drive-by attacks that target known browser vulnerabilities.

While Darkleech has been running for at least two months, attackers appear to still be upping their game. "Linux/Cdorked is one of the most sophisticated Apache backdoors we have seen so far," said Pierre-Marc Bureau, security intelligence program manager for security firm ESET, in a blog post that details how to identify and remediate servers infected by the malware.

Cdorked uses JavaScript to attack anyone browsing the website. If the attack is successful, the malware redirects the browser to another malicious website, where a crimeware toolkit attempts to further compromise the PC. As part of the handoff, interestingly, Cdorked adds useful attack information to the invoked link, such as the URL from which the browser has been redirected and, according to Bureau, whether or not the request was originally to a JavaScript file so the server [can] provide the right [attack] payload.

[ Have a D-Link IP camera? Upgrade your firmware now. For more details, read D-Link Camera Security Flaw: Upgrade Now. ]

Unfortunately, detecting servers that are infected with Cdorked isn't straightforward. "The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis," Bureau explained, noting that the malware stores no data on a server's hard drive. "All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren't logged in normal Apache logs. This means that no command and control information is stored anywhere on the system."

Attackers access a "backdoored server" either by using a reverse shell or by using HTTP requests to relay commands. The reverse shell -- or connect-back-shellcode -- requests, however, leave traces that can help administrators identify servers that have been compromised by attackers. "[When] the shell is used by the attacker, the HTTP connection creating it is hung [the backdoor code does not implement forking]," said Bureau. "This implies that malicious shells can be found if one has access to the server and checks for long-running HTTP connections. On the other hand, the HTTP request does not appear in Apache's log file due to the way the malicious code is hooked into Apache."

But the best way to identify infected servers, Bureau said, is to scan servers for the presence of shared memory created by the malware, which will comprise about 6 MB and store the malware's state and configuration information.

The Darkleech campaign was first spotted in early March, when a security researcher at Sophos found that malicious modules added to Apache installations were using iFrames and JavaScript to redirect visitors to websites infected with the Blackhole crimeware toolkit.

Early this month, meanwhile, Cisco security researcher Mary Landesman warned that an estimated 20,000 legitimate websites that use Apache HTTP server software had been compromised as part of Darkleech. Those attacks -- as with Cdorked -- have focused on infecting vulnerable Apache installations with an SSHD backdoor. Attackers were able to load malicious modules onto the servers, which then served up drive-by attacks against website visitors.

Which Apache vulnerabilities are attackers exploiting? Cisco last week reported that Darkleech attackers may be exploiting a Horde/IMP Plesk Webmail bug that's present in unpatched versions of the Parallels Plesk control panel software used by many Web hosting providers. "By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server," said Craig Williams, who works in Cisco's Security Intelligence Operations threat research group for (SIO), in a blog post.

To help block Darkleech attacks, Williams recommended that website administrators keep their Apache server software fully patched and updated.

Update: A Parallels spokeswoman said via email that a patch is available for the Plesk vulnerability identified by Cisco. "The exploit warned about by a Cisco researcher was in the third-party Horde webmail for Plesk 9.3 and earlier (products circa 2009 and earlier), not in the Plesk control panel itself," she said. "These Plesk versions are end-of-lifed now, but a patch was promptly issued in February 2012.

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
S+bastien Duquette
50%
50%
S+bastien Duquette,
User Rank: Apprentice
5/1/2013 | 2:39:40 PM
re: Darkleech Apache Attacks Intensify
Hi, this is S+bastien from ESET. To clarify, this threat is not related to Darkleech which is a different beast. While both target Apache servers, they are distinct pieces of code and send visitors to different instances of the Blackhole kit. However this does not change the fact that this trend is quite concerning.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.