Malicious SSHD Backdoor Allows Remote Attackers to Upload and Configure Malicious Apache Modules on Web Servers
An estimated 20,000 legitimate Websites running Apache’s Web server software have been infected by the “Darkleech” malware in the past few weeks alone, according to Cisco.
Remote attackers are uploading and configuring malicious Apache modules onto compromised Web servers infected via an SSHD backdoor, Mary Landesman, a senior security researcher with Cisco Web Security, wrote on the Cisco blog Tuesday.
The malware infects Linux servers running Apache 2.2.2 and above, Landesman said. The malware injects iFrames into the sites hosted on that compromised box. These sites were then used to launch drive-by-malware attacks against unsuspecting users, Landesman said. How Darkleech initially infected the servers and gained root access remains unclear, Landesman said. Potential attack vectors include exploiting security holes in Web administration software, cracked passwords, or social engineering methods.
The injected iFrames are dynamically generated in real-time and do not exist beforehand, making “discovery and remediation particularly difficult,” Landesman said. Even so, she was able to identify a pattern—the IP address, a hexadecimal, followed by q.php— that administrators can look for.
Since the injected code does not really exist on the Website, most website owners and operators will not be able to detect or clean the compromise, Landesman said. Cleaning up also requires root-level access to the Web server, something most website owners don’t have in a hosting environment. The nature of the malware also makes it difficult for the affected Website owner to convince the hosting provider there is a problem.
In fact, the provider “may discount their report,” Landesman said.
The attackers use other tricks to avoid detection, such as blacklisting search engine spiders, checking cookies to “wait list” recent visitors, and checking referrer URLs to make sure the visitors are arriving to the site via valid search engine results, and checking user agents to target specific operating systems. To date, the malware appears to be targeting Windows users. Darkleech can also check user IP addresses and blacklisting those belonging to security researchers, site owners, and hosting providers.
The Darkleech has infected sites worldwide, impacting countries in Asia, Europe, and Australia. Over half of the servers being used to launch the injection attacks were based in the United States, United Kingdom, Germany, and Canada, she said.
Remediation will be tricky, since the administrators will first need to find the malicious modules and the associated secure shell daemon backdoor on the impacted server. SSHD is a network protocol which encrypts traffic between the Web server and client, and the backdoor itself may vary from server to server and be a challenge to find. Since SSHD is compromised, remediation may require “considerable procedural changes” to ensure the issue is actually resolved.
Administrators or owners of sites should check their Apache configuration right away and look for unexpected modules being loaded.
Several researchers appeared to have been tracking Darkleech. Daniel Cid, CTO of Sucuri, wrote about a malicious Apache module capable of injecting malware on compromised Web servers on the Sucuri blog back in January. In March, Fraser Howard from Sophos, appears to have found Darkleech compromising Websites and further redirecting victims to Blackhole sites.
“While various researcher have reported various segments of the attacks, until Dan’s article [on Ars Technica], no one had connected the dots and linked them all together,” Landesman wrote.