Attack hitting Apache websites is invisible to the naked eye

April 29, 2013 – 5:20 PM

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle’s Java, Adobe’s Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they’re infected.

“Unless a person really has some deep-dive knowledge on the incident response team, the first thing they’re going to do is kill the evidence,” Cameron Camp, a security researcher at Eset North America, told Ars. “If you run a large hosting company you’re not going to send a guy in who’s going to do memory dumps, you’re going to go on their with your standard tool sets and destroy the evidence.”

Linux/Cdorked.A leaves no traces of the hosts it has infected on hard drives. Its configuration is delivered by the attacker through obfuscated HTTP commands that aren’t logged by normal Apache systems. All attacker-controlled data is encrypted. Those measures make it all but impossible for administrators to know anything is amiss unless they employ special methods to peer deep inside an infected machine. The backdoor analyzed by Eset was programmed to receive 70 different encrypted commands, a number that could give attackers fairly granular control. Attackers can invoke the commands by manipulating the URLs sent to an infected website.


You must be logged in to post a comment.