ESET researchers, together with their counterparts at web security firm Sucuri, have been analyzing a new threat affecting Apache webservers, the most well-known and widely-used webserver in the world. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor, Linux/Cdorked.A and it is the most sophisticated Apache backdoor seen so far.
To date, ESET researchers have identified hundreds of compromised webservers thanks to the ESET LiveGrid® threat telemetry.
“The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified "httpd" file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis”,
says Pierre-Marc Bureau, ESET Security Intelligence Program Manager.
In addition, Linux/Cdorked.A takes other steps to avoid detection, both on the compromised webserver and web browsers of computers visiting it.
“The backdoor’s configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools. The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex”,
adds Righard Zwienenberg, Senior Research Fellow.
The Blackhole exploit kit is a popular and prevalent exploit kit using new zero day and known exploits, to take control of your system when you visit a site that is comprised and infected by the Blackhole kit. When someone visits a compromised webserver, they are not simply redirected to a malicious website - a web cookie is set in the browser so the backdoor will not send them there a second time. The web cookie is not set on the administrator pages: the backdoor checks the visitor’s referrer field and if they are redirected to the webpage from a URL that has certain key words in it like "admin" or "cpanel", no malicious content is served.
ESET urges system administrators to check their servers and verify that they are not affected by this threat. A free detection tool, detailed instructions on how to check for the backdoor and a full technical analysis of Linux/Cdorked.A are available on on WeLiveSecurity.com - ESET’s news platform with the latest information and analysis on cyber threats and useful security tips - in the Linux/Cdorked blog post.
Further information about Linux/Cdorked.A is also available on the Sucuri blog as well.
About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 25 years, the Company has led the industry in proactive threat detection. By obtaining the 75th VB100 award in September 2012, ESET NOD32® Antivirus holds the world record for the number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. ESET holds a number of accolades from AV-Comparatives, Virus Bulletin, AV-TEST and other independent testing organizations. ESET NOD32® Antivirus, ESET Smart Security®, ESET® Endpoint Solutions, ESET® Mobile Security and ESET® Cyber Security (solution for Mac) are trusted by millions of global users and are among the most recommended security solutions in the world. The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Sao Paulo (Brazil) and Prague (Czech Republic). ESET® has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries.
About Sucuri
Sucuri is a California Limited Liability Corporation, headquartered in the jewel of the South – The Inland Empire. Sucuri team is spread across two continents – North and South America. The company was founded by two highly passionate members of the Information Security (InfoSec) domain, both focusing on two very distinct areas – Defensive/Preventive and Awareness. Sucuri’s inception was in 2007 in the bedroom of its founder, but the idea of tackling the web-based malware problem first came to us in 2004. You can find distant cousins of the company’s engine under the name of Owl, version .1, and WIGS (Web Information Gathering System). Both open-source projects were offered to the masses for free. It was through this process that the company built the knowledge required to understand what end-users really need.