Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Darkleech’ Malware Infects 20,000 Legitimate Apache Powered Sites

Malicious SSHD Backdoor Allows Remote Attackers to Upload and Configure Malicious Apache Modules on Web Servers

An estimated 20,000 legitimate Websites running Apache’s Web server software have been infected by the “Darkleech” malware in the past few weeks alone, according to Cisco.

Malicious SSHD Backdoor Allows Remote Attackers to Upload and Configure Malicious Apache Modules on Web Servers

An estimated 20,000 legitimate Websites running Apache’s Web server software have been infected by the “Darkleech” malware in the past few weeks alone, according to Cisco.

Remote attackers are uploading and configuring malicious Apache modules onto compromised Web servers infected via an SSHD backdoor, Mary Landesman, a senior security researcher with Cisco Web Security, wrote on the Cisco blog Tuesday.

Darkleech MalwareThe malware infects Linux servers running Apache 2.2.2 and above, Landesman said. The malware injects iFrames into the sites hosted on that compromised box. These sites were then used to launch drive-by-malware attacks against unsuspecting users, Landesman said. How Darkleech initially infected the servers and gained root access remains unclear, Landesman said. Potential attack vectors include exploiting security holes in Web administration software, cracked passwords, or social engineering methods.

The injected iFrames are dynamically generated in real-time and do not exist beforehand, making “discovery and remediation particularly difficult,” Landesman said. Even so, she was able to identify a pattern—the IP address, a hexadecimal, followed by q.php— that administrators can look for.

Since the injected code does not really exist on the Website, most website owners and operators will not be able to detect or clean the compromise, Landesman said. Cleaning up also requires root-level access to the Web server, something most website owners don’t have in a hosting environment. The nature of the malware also makes it difficult for the affected Website owner to convince the hosting provider there is a problem.

In fact, the provider “may discount their report,” Landesman said.

The attackers use other tricks to avoid detection, such as blacklisting search engine spiders, checking cookies to “wait list” recent visitors, and checking referrer URLs to make sure the visitors are arriving to the site via valid search engine results, and checking user agents to target specific operating systems. To date, the malware appears to be targeting Windows users. Darkleech can also check user IP addresses and blacklisting those belonging to security researchers, site owners, and hosting providers.

The Darkleech has infected sites worldwide, impacting countries in Asia, Europe, and Australia. Over half of the servers being used to launch the injection attacks were based in the United States, United Kingdom, Germany, and Canada, she said.

Remediation will be tricky, since the administrators will first need to find the malicious modules and the associated secure shell daemon backdoor on the impacted server. SSHD is a network protocol which encrypts traffic between the Web server and client, and the backdoor itself may vary from server to server and be a challenge to find. Since SSHD is compromised, remediation may require “considerable procedural changes” to ensure the issue is actually resolved.

Blackhole Exploit Kit

Administrators or owners of sites should check their Apache configuration right away and look for unexpected modules being loaded.

Several researchers appeared to have been tracking Darkleech. Daniel Cid, CTO of Sucuri, wrote about a malicious Apache module capable of injecting malware on compromised Web servers on the Sucuri blog back in January. In March, Fraser Howard from Sophos, appears to have found Darkleech compromising Websites and further redirecting victims to Blackhole sites.

“While various researcher have reported various segments of the attacks, until Dan’s article [on Ars Technica], no one had connected the dots and linked them all together,” Landesman wrote.

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.