Attacks/Breaches
4/3/2013
10:22 AM
50%
50%

Darkleech Attacks Hit 20,000 Websites

Malicious Apache modules, installed after root-level server compromises, are serving hard-to-detect real-time malware attacks against Windows users.

An estimated 20,000 legitimate websites that use Apache HTTP server software have been compromised in an attack campaign known as "Darkleech," which uses the sites to launch drive-by malware attacks against visitors.

"Thousands of Web servers across the globe running Apache 2.2.2 and above are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious Apache modules," said Mary Landesman, a senior security researcher with the TRAC team at Cisco, in a blog post. "These modules are then used to turn hosted sites into attack sites, dynamically injecting iFrames in real-time, only at the moment of visit."

The Darkleech campaign is widespread and has infected sites around the world -- from Cyprus and Denmark to Italy and Thailand. That said, according to Cisco, from February 1, 2013, to March 15, 2013, 58% of the servers being used to launch the module injection attacks were based in the United States, followed by the United Kingdom (10%), Germany (9%) and Canada (3%).

[ Muslim hacktivists continue takedowns. Read Bank DDos Attacks Resume: Wells Fargo Confirms Disruptions. ]

Fraser Howard, a principal virus researcher at security firm Sophos, in early March 2013 reported that various attack modules -- later identified as being part of the Darkleech campaign -- were using JavaScript to inject malicious iFrames and redirect visitors to the Blackhole crimeware kit. Malicious iFrame attacks, which a website visitor wouldn't be able to see, use a malicious script embedded in a Web page to connect with a feeder site and download further malicious code.

At the time, Fraser said that the related iFrame attacks were "the most prevalent Web threat detected on customer endpoints and Web appliances for the past few weeks, accounting for almost 30% of all detected Web threats." At least in part, that prevalence can be traced to the popularity of the Apache server software itself, which as of April 2013 -- according to Internet research firm Netcraft -- was used by about 50% of all websites in the world.

This is far from the first iFrame exploit campaign that's been discovered targeting Apache servers. But the Darkleech campaign's real-time attack techniques, coupled with attackers' root-level access to compromised Apache servers, could make eradicating the campaign quite difficult. "Because the iFrames are dynamically injected only when the pages are accessed, this makes discovery and remediation particularly difficult," said Cisco's Landesman.

"Given that these are dynamically generated, there would be no viable means to do a search to ferret them out on Google, etc.," she told Ars Technica, which first pieced together the extent of the Darkleech campaign.

In addition, "the attackers employ a sophisticated array of conditional criteria to avoid detection," said Landesman in her blog post. Those techniques include blacklisting IP addresses that belong to security researchers, owners of the data centers on which compromised domains are hosted, and search engine spiders. Attackers are also restricting the attacks to target only Windows systems as well as website visitors who appear to have arrived at a site via a search engine. Finally, the attack reviews a user's cookies to see if they're a longtime visitor to the site. If not, the target gets added to a "wait list" for later attack.

But the attacks do have a recognizable signature, and Landesman has developed a search string that can be used to identify some of them. "When the iFrame is injected on the page, the convention used for the reference link in the injected iFrame is IP/hex/q.php," she said, offering the following URL -- which is currently serving the attack -- as an example: "129.121.179.168/d42ee14e4af7a0a7b1033b8f8f1eb18a/q.php."

That site -- along with multiple other sites that have been compromised by Darkleech attackers -- is hosted by Albuquerque, N.M.-based Oso Grande Technologies. An email sent to the company's network operations center (out of business hours), asking if the company was aware that its servers were being used to host multiple Darkleech attacks and if it was remediating the attacks wasn't immediately returned.

Administrators of any site that's serving Darkleech infections will need to coordinate with their hosting provider to deal with the compromise, which actually affects the hosting company's system. Remediating the attacks will also require root-level access to servers, which a hosting client typically won't enjoy.

As that suggests, coordinating related cleanup efforts could prove difficult. "Even if website owners/operators suspect the host server may be the source, they would still need to convince the hosting provider, who may discount their report," said Landesman. "Even if the hosting provider is responsive, the malicious Apache modules and associated SSHD backdoor may be difficult to ferret out, and the exact method will vary depending on server configuration."

Landesman is referring to attackers' use of a secure shell daemon (SSHD), which is a network protocol for encrypting traffic between a Web server and a client, to provide them with access to compromised sites. "Since SSHD is compromised, remediation of the attack and preventing further occurrences may require considerable procedural changes that, if not carried out properly, could cause a privilege lockout for valid administrators or be ineffective and lead to continued compromise," she said.

Furthermore, according to a January blog post from Daniel Cid, CTO at security firm Securi, attackers appear to have installed their own SSHD software on compromised machines. "We have noticed that they are modifying all SSH binaries and inserting a version that gives them full access back to the server," he said. "The modifications not only allow them to remote into the server bypassing existing authentication controls, but also allow them to steal all SSH authentications and push it to their remote servers." As a result, attackers have likely also been able to compromise all administrator credentials -- including hosting customers' usernames and passwords -- on affected systems.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.