Fallout of Apache backdoor spreads

Stefan Mileschin · 10th May 2013, 06:44

It is starting to look like the existence of Linux/Cdorked.A could be a serious problem for the owners of web servers.

Linux/Cdorked.A is an advanced and stealthy Apache backdoor which can drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs.

Now security experts at Eset have found that the backdoor also infects sites running the nginx and Lighttpd web servers.

While Apache is the bigger of the names, nginx has 15 percent of the webserver market and Eset has found 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites.

Those who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are the only ones who get redirected to sites hosting Blackhole, but Apple iOS users are also in danger as they get redirected to adult content sites that might be hosting malware.

A spokesperson from Eset said that it looks like the Linux/Cdorked.A threat is more stealthy than first thought. For example it will not deliver malicious content if the victim's IP address is in a very long list of blacklisted IP ranges. If the victim's internet browser's language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian, then the malware will not run.

The aim of this is to keep the work of the malware beneath the radar of the authorities and hinder monitoring efforts.

Cdorked uses compromised DNS servers to resolve the IP addresses of redirected sites which also makes the source of the malware hard to find.

At the moment the Blackhole exploit kit is currently delivering a variant of the Glupteba Trojan to the unsuspecting victims. This pushes clickjacking contextual advertising onto users.

But there is a lot about the backdoor that the researchers have not worked out yet. It is not clear how the malicious software was installed on the web servers. The malware does not propagate by itself and it does not exploit vulnerabilities in specific software.

To help system administrators spot the existence of the backdoor on their web servers, Eset has released a script that detects a specific modified httpd binary on the hard drive that's a definitive sign of infection.

http://news.techeye.net/security/fal...ckdoor-spreads

10th May 2013, 06:44	#1
Stefan Mileschin [M] Reviewer Join Date: May 2010 Location: Romania Posts: 148,553	Fallout of Apache backdoor spreads It is starting to look like the existence of Linux/Cdorked.A could be a serious problem for the owners of web servers. Linux/Cdorked.A is an advanced and stealthy Apache backdoor which can drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs. Now security experts at Eset have found that the backdoor also infects sites running the nginx and Lighttpd web servers. While Apache is the bigger of the names, nginx has 15 percent of the webserver market and Eset has found 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites. Those who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are the only ones who get redirected to sites hosting Blackhole, but Apple iOS users are also in danger as they get redirected to adult content sites that might be hosting malware. A spokesperson from Eset said that it looks like the Linux/Cdorked.A threat is more stealthy than first thought. For example it will not deliver malicious content if the victim's IP address is in a very long list of blacklisted IP ranges. If the victim's internet browser's language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian, then the malware will not run. The aim of this is to keep the work of the malware beneath the radar of the authorities and hinder monitoring efforts. Cdorked uses compromised DNS servers to resolve the IP addresses of redirected sites which also makes the source of the malware hard to find. At the moment the Blackhole exploit kit is currently delivering a variant of the Glupteba Trojan to the unsuspecting victims. This pushes clickjacking contextual advertising onto users. But there is a lot about the backdoor that the researchers have not worked out yet. It is not clear how the malicious software was installed on the web servers. The malware does not propagate by itself and it does not exploit vulnerabilities in specific software. To help system administrators spot the existence of the backdoor on their web servers, Eset has released a script that detects a specific modified httpd binary on the hard drive that's a definitive sign of infection. http://news.techeye.net/security/fal...ckdoor-spreads

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Ubsoft DRM ships with backdoor	Stefan Mileschin	WebNews	0	1st August 2012 08:49
New Mac OS X backdoor discovered	Stefan Mileschin	WebNews	0	5th July 2012 07:08
Apache Object-Oriented Data Project Goes Top-Level	Shogun	WebNews	0	9th January 2011 07:02
ProFTPD.org Compromised, Backdoor Distributed	jmke	WebNews	0	2nd December 2010 16:54
Xigmatek Apache EP-CD901 Top-flow cooler	jmke	WebNews	0	12th December 2008 10:58
Microsoft to sponsor the Apache Software Foundation	jmke	WebNews	0	25th July 2008 19:25
F@H spreads out from CPU's	Zwaplat	Site & Forum Feedback - Folding@Home	4	22nd June 2008 09:55
Opening the TiVo Backdoor	jmke	WebNews	0	1st June 2005 16:25
Apache cache	Bosw8er	Hardware/Software Problems, Bugs	5	8th April 2004 12:21
putty-apache-... Problems	FreeStyler	Hardware/Software Problems, Bugs	9	14th February 2004 21:14