Wednesday 24 September 12:00 - 12:30, Green room.
Cathal Mullaney Symantec
Sayali Kulkarni Symantec
In late 2011, we investigated a persistent malware infection that was specific to a Linux installation of the Apache web server. The infection was unique in that it used Apache's own APIs as a means to attack and infect unsuspecting clients. This attack vector was unusual as it did not target static web pages with an iframe injection. Instead, every web page served to a client's browser was dynamically modified to contain malicious content. By leveraging the Apache module APIs and Apache filtering framework, attackers were capable of serving malware to thousands of targeted users.
Originally classified as Trojan.Apmod, the malware re-emerged in 2012 as Linux.Chapro and was ultimately identified as a component of the Darkleech exploit kit. During the past year, tens of thousands of active infections have been identified, with victims ranging from private businesses to educational institutions, to the web servers of prominent security vendors. What first appeared to be a targeted attack has since been identified as part of a trend of Linux malware infections. These infections, targeting Linux installations of the Apache web server, have proven to be a perfect vector for serving malware on a global scale.
This paper will demonstrate that targeting Linux-based Apache web servers is an active and extremely effective method of malware distribution. We present an overview of Linux malware and a technical analysis of Apache-based infections. We discuss common infection vectors for Linux servers, the payload infection chain, and final payloads distributed to clients. We also present statistics on current, active infection rates and geographical distributions of infected servers. Furthermore, we present an end-to-end live demonstration of this type of Linux-based Apache malware infection.
A targeted Linux malware infection, aimed at one of the most popular web servers in the world, allows malware authors to bite the hand that serves us all.
Cathal Mullaney was born in Dublin, Ireland in 1983. He studied computer applications/software engineering at Dublin City University (DCU) for his primary degree. Cathal joined Symantec Security Response, Dublin, in 2005 shortly after finishing his primary degree. Cathal worked for Symantec until 2007 when he returned to DCU to complete a Master's Degree in security and forensic computing. Upon completion of his Master's, he rejoined Security Response in 2008 and is currently a senior security response engineer with the OPs team. In 2013, he presented a paper entitled 'Billion Dollar Botnets' at the Virus Bulletin conference in Berlin, Germany.
Sayali Kulkarni was born in Pune, India in 1989. She received her Bachelor of Engineering degree in computer science in August 2010 from the University of Pune. In February 2011, shortly after her graduation, Sayali joined Symantec India Pvt Ltd. Sayali currently works in the India Security Response Lab under the STAR organisation as a threat analysis engineer.