Attackers are using a sophisticated and stealthy piece of malware to infect Apache Web servers.
The backdoor, dubbed Linux/Cdorked.A, is “one of the most sophisticated Apache backdoors we have seen so far,” according to Pierre-Marc Bureau, security intelligence program manager at ESET.
“The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis,” he blogged. “All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system,” Bureau wrote.
Cdorked is designed to send users visiting a compromised site to servers hosting the notorious Blackhole exploit kit. According to ESET, the malware has already claimed hundreds of Web servers.
Just how the servers are initially being attacked is not clear, but it may be through brute force attacks, explained Daniel Cid, CTO of security firm Sucuri, in a blog post.
“For the last few months we have been tracking server level compromises that have been utilizing malicious Apache modules … to inject malware into Websites,” he wrote.
“However, during the last few months we started to see a change on how the injections were being done,” he added. “On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one.”
The compromised binary doesn’t change anything in terms of how the site looks, he noted. However, on some random requests—for example once per day per IP address—it added a malicious redirect as opposed to just displaying the content.
“After the redirection, a Web cookie is set on the client so it is not redirected again,” Bureau explained. “This cookie is also set if a request is made to a page that looks like an administration page. The backdoor will check if the URL, the server name, or the referrer matches any of the following strings: *adm*, *webmaster*, *submit*, *stat*, *mrtg*, *webmin*, *cpanel*, *memb*, *bucks*, *bill*, *host*, *secur* and *support*. This is probably done to avoid sending malicious content to administrators of the Website, making the infection harder to spot.”
Bureau recommended organizations check for the presence of the shared memory to make sure they are not infected. ESET has also made a free tool to allow systems administrators to verify the presence of the shared memory region and dump its content into a file.
Bureau recommended organizations check for the presence of the shared memory to make sure they are not infected. ESET has also made a free tool to allow systems administrators to verify the presence of the shared memory region and dump its content into a file.
The attack is just the latest example of attackers targeting Apache Web servers. Earlier this year, researchers uncovered the Darkleech campaign, which is believed to have infected thousands of Web servers running Apache 2.2.2 and above. So far, ESET Security Evangelist Stephen Cobb told eWEEK, no connection has been found between Linux/Cdorked.A and DarkLeech.
When attackers get full root access to the server, they can do anything they want, from modifying configurations to injecting modules and replacing binaries, Cid blogged.
“However, their tactics are changing to make it even harder for administrators to detect their presence and recover from the compromise,” he wrote.