Apache binaries replaced by stealth malcious ones

Posted by   Virus Bulletin on   Apr 30, 2013

Malicious servers opening backdoors, performing redirects.

Researchers at ESET and Sucuri have discovered a modified Apache binary that is used on hundreds of web servers to perform malicious redirects and open a backdoor to the server, while going to great lengths to hide its activity.

Recently, thousands of websites - most prominently that of the LA Times - have been compromised and malicious Apache modules installed to serve malware to visitors of the sites.

But this new attack goes a step further: rather than adding modules, it replaces the Apache binary itself. Through a special HTTP GET request, the attacker can open a backdoor and thus control the behaviour of the server. As this request doesn't appear in the HTTP logs and the configuration is only stored in shared memory, barely any trace of the command and control communication is left on the server.

The compromised servers are then used to redirect users to both spam sites and the 'Blackhole' exploit kit. Again, the malware authors have gone to a lot of effort to prevent their activity from being detected: redirects are only performed once for each IP address, whereas no redirects are performed on pages typically visited by the site's administrator, thus making it less likely for them to discover that something is amiss.

For now, the question of how the machines are compromised in the first place remains unanswered. Malware and keyloggers stealing FTP and login credentials are a known problem, but these usually wouldn't provide the attackers with the root access needed to replace the Apache binary. It could of course be that these sites use the same password for root, or have passwordless sudo set up, but it may also be the case that another vulnerability is being used to escalate the attacker's privileges.

While one may start to wonder whether it is time to run security software on web servers, administrators of servers running Apache are urged to check if their server is infected; ESET has provided a simple Python script for this purpose.

More at ESET's We Live Security blog here and at Sucuri's blog here.

Posted on 30 April 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 London - join us for the most international threat intelligence conference!

VB calls on organisations and individuals involved in threat intelligence from around the world to participate in next year's Virus Bulletin conference.

VB2018 paper: Tracking Mirai variants

Today, we publish the VB2018 paper by Qihoo 360 researchers Ya Liu and Hui Wang, on extracting data from variants of the Mirai botnet to classify and track variants.

VB2018 paper: Hide'n'Seek: an adaptive peer-to-peer IoT botnet

2018 has seen an increase in the variety of botnets living on the Internet of Things - such as Hide'N'Seek, which is notable for its use of peer-to-peer for command-and-control communication. Today, we publish the VB2018 paper by Bitdefender…

New paper: Botception: botnet distributes script with bot capabilities

In a new paper, Avast researchers Jan Sirmer and Adolf Streda look at how a spam campaign sent via the Necurs botnet was delivering the Flawed Ammyy RAT. As well as publishing the paper, we have also released the video of the reseachers' VB2018…

VB2018 video: Behind the scenes of the SamSam investigation

Today we have published the video of the VB2018 presentation by Andrew Brandt (Sophos) on the SamSam ransomware, which became hot news following the indictment of its two suspected authors yesterday.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.