Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apache servers ambushed by sophisticated backdoor attacks

John P. Mello | May 2, 2013
Researchers at Sucuri and Eset say the attacks, which delivers the Blackhole malware kit to site visitors, leaves no trace on servers

Apache servers are being ambushed by a particularly pernicious malware program called Linux/Cdorked.A that's infecting visitors to the sick machines with the Blackhole malware kit.

Discovered by security researchers at Sucuri and Eset, they describe the malware a a sophisticated and stealthy backdoor meant to drive traffic to malicious websites.

Eset explained in a blog post that the malware is one of the most sophisticated Apache backdoors it has seen so far. So far, hundreds of servers have been compromised, it said.

The backdoor leaves no traces of compromised hosts on the hard drive other than a modified binary file, it continued. In addition, all of the information related to the backdoor is stored in shared memory and information on its command and control activity isn't recorded in any Apache logs, making it difficult for defenders to identify it.

"It resides all in memory so if you're doing forensics or incident response, and you're looking for signs on your hard drive that something bad has happened, you won't find them," Eset senior researcher Cameron Camp said in an interview.

"It has the ability to redirect visitors to your website to terrible places where they will get infected through the Blackhole exploit kit, which is a nasty piece of malware," he added.

Since the malware resides in memory, if the server is rebooted, the malware will disappear. Reboots occur when Apache is upgraded or patched. The problem is, those patches aren't always installed in a timely fashion.

"Web servers are updated ad hoc," Camp said. "There's no set schedule."

"If a fix is released," he continued, "some more vigilant folks will update right away, but it's not uncommon to see an Apache server that hasn't been patched for weeks or months."

It's also still uncertain how the malware is reaching the server in the first place. So even the malware is flushed out of memory, it could be re-infected within a short period of time.

"Unless you actively patch how they got into your server, they can get right back in," Camp said.

"That's what's so troubling right now -- whether this is being spread by a Web exploit or byÃ'Â brute force attacks on the server," he added.

Making matters worse is that the attacks are being targeted at hosting servers. "They tend to be much more secure than an average website or server, and yet they're still getting compromised," said Mary Landesman, a senior security researcher with Cisco.

"There's a lot at stake for them to gain the necessary access and plant a backdoor," she added, "because when that server gets compromised, every website hosted by that server becomes a vector for malware."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.