Darkleech messing with Apache servers

[ebvt]

I admit this is way over my head, but some security gurus might want to chew on it:
http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/

I guess keeping out of Java, using Noscript and deleting Adobe Reader  helps the innocent user!?

ebvt

[menotu]

A few points ( out of many).
===================

In active development

With the help of Cisco Security Engineer Gregg Conklin, Landesman observed Darkleech infections on almost 2,000 Web host servers during the month of February and the first two weeks of March. The servers were located in 48 countries, with the highest concentrations in the US, UK, and Germany.

Assuming the typical webserver involved hosted an average of 10 sites, that leaves the possibility that 20,000 sites were infected over that period.

The attacks were documented as early as August on researcher Denis Sinegubko's Unmask Parasites blog.

They were observed infecting the LA Times website in February and the blog of hard drive manufacturer Seagate last month, an indication the attacks are ongoing. Landesman said the Seagate infection affected media.seagate.com, which was hosted by Media Temple, began no later than February 12, and was active through March 18. Representatives for both Seagate and the LA Times said the sites were disinfected once the compromises came to light.

"I regularly receive e-mails and comments to my blog posts about new cases," Sinegubko told Ars last week. "Sometimes it's a shared server with hundreds or thousands of sites on it. Sometimes it's a dedicated server with some heavy-traffic site."

Referring to the rogue Apache modules that are injected into infected sites, he added, "Since late 2012 people have sent me new versions of the malicious modules, so this malware is in active development, which means that it pays off well and the number of infected servers can be high (especially given the selectivity of the malware that prefers to stay under the radar rather than infecting every single visitor)."

Landesman picked a random sample of 1,239 compromised websites and found all were running Apache version 2.2.22 or higher, mostly on a variety of Linux distributions. According to recent blog posts published here and here by researchers from security firm Securi, Darkleech uses rogue Apache modules to inject malicious payloads into the webpages of the sites it infects and to maintain control of compromised systems. Disinfecting Web servers can prove extremely difficult since the malware takes control of the secure shell (SSH) mechanism that legitimate administrators use to make technical changes and update content to a site.


LA Times post

[menotu]

by Dan Goodin - Apr 29, 2013

Admin beware: Attack hitting Apache websites is invisible to the naked eye

Newly discovered Linux/Cdorked evades detection by running in shared memory.

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle's Java, Adobe's Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they're infected.

"Unless a person really has some deep-dive knowledge on the incident response team, the first thing they're going to do is kill the evidence," Cameron Camp, a security researcher at Eset North America, told Ars. "If you run a large hosting company you're not going to send a guy in who's going to do memory dumps, you're going to go on their with your standard tool sets and destroy the evidence."

Linux/Cdorked.A leaves no traces of compromised hosts on the hard drive other than its modified HTTP daemon binary. Its configuration is delivered by the attacker through obfuscated HTTP commands that aren't logged by normal Apache systems. All attacker-controlled data is encrypted. Those measures make it all but impossible for administrators to know anything is amiss unless they employ special methods to peer deep inside an infected machine. The backdoor analyzed by Eset was programmed to receive 70 different encrypted commands, a number that could give attackers fairly granular control. Attackers can invoke the commands by manipulating the URLs sent to an infected website.

"The thing is receiving commands," Camp said. "That means that suddenly you have a new vector that is difficult to detect but is receiving commands. Blackhole is a tricky piece of malware anyway. Now suddenly you have a slick delivery method."

n addition to hiding evidence in memory, the backdoor is programmed to mask its malicious behavior in other ways. End users who request addresses that contain "adm," "webmaster," "support," and similar words often used to denote special administrator webpages aren't exposed to the client exploits. Also, to make detection harder, users who have previously been attacked are not exposed in the future.

It remains unclear what the precise relationship is between Linux/Cdorked.A and Darkleech, the Apache plug-in module conservatively estimated to have hijacked at least 20,000 sites. It's possible they're the same module, different versions of the same module, or different modules that both expose end users to Blackhole exploits. It also remains unclear exactly how legitimate websites are coming under the spell of the malicious plugins. While researchers from Sucuri speculate it takes hold after attackers brute-force the secure-shell access used by administrators, a researcher from Cisco Systems said he found evidence that vulnerable configurations of the Plesk control panel are being exploited to spread Darkleech. Other researchers who have investigated the ongoing attack in the past six months include AV provider Sophos and those from the Malware Must Die blog.

http://arstechnica.com/security/2013/04/admin-beware-attack-hitting-apache-websites-is-invisible-to-the-naked-eye/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29