Apache servers ambushed by sophisticated backdoor attacks

Apache servers are being ambushed by a particularly pernicious malware program called Linux/Cdorked.A that's infecting visitors to the sick machines with the Blackhole malware kit.

Discovered by security researchers at Sucuri and Eset, they describe the malware a a sophisticated and stealthy backdoor meant to drive traffic to malicious websites.

Eset explained in a blog post that the malware is one of the most sophisticated Apache backdoors it has seen so far. So far, hundreds of servers have been compromised, it said.

The backdoor leaves no traces of compromised hosts on the hard drive other than a modified binary file, it continued. In addition, all of the information related to the backdoor is stored in shared memory and information on its command and control activity isn't recorded in any Apache logs, making it difficult for defenders to identify it.

[Also see: Blackhole creator releases stealthier exploity kit]

"It resides all in memory so if you're doing forensics or incident response, and you're looking for signs on your hard drive that something bad has happened, you won't find them," Eset senior researcher Cameron Camp said in an interview.

"It has the ability to redirect visitors to your website to terrible places where they will get infected through the Blackhole exploit kit, which is a nasty piece of malware," he added.

Since the malware resides in memory, if the server is rebooted, the malware will disappear. Reboots occur when Apache is upgraded or patched. The problem is, those patches aren't always installed in a timely fashion.

"Web servers are updated ad hoc," Camp said. "There's no set schedule."

"If a fix is released," he continued, "some more vigilant folks will update right away, but it's not uncommon to see an Apache server that hasn't been patched for weeks or months."

It's also still uncertain how the malware is reaching the server in the first place. So even the malware is flushed out of memory, it could be re-infected within a short period of time.

"Unless you actively patch how they got into your server, they can get right back in," Camp said.

"That's what's so troubling right now -- whether this is being spread by a Web exploit or byÃ'Â brute force attacks on the server," he added.

Making matters worse is that the attacks are being targeted at hosting servers. "They tend to be much more secure than an average website or server, and yet they're still getting compromised," said Mary Landesman, a senior security researcher with Cisco.

"There's a lot at stake for them to gain the necessary access and plant a backdoor," she added, "because when that server gets compromised, every website hosted by that server becomes a vector for malware."

This malware departs from previous infections in a worrisome way, Landesman said. "With past infections, once you knew what to look for, it was fairly easy to find them," she said. "With this evolution, it's going to be much harder."

These kinds of attacks on hosting servers is a growing trend in the digital underground, replacing the old practice of mass registering domain names to be used for harmful activity, noted Paul Ferguson, vice president for threat intelligence at Internet Identity.

"There's been a dramatic decline in domains that were registered for sheer malicious purposes in favor of hacking servers and using them to perpetrate other crimes," he told CSO.

"Servers have become the low hanging fruit," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | MalwarelegalSucurisoftwareapacheesetBlackholedata protectioncybercrime

More about ApacheCiscoCSOEsetLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place