Thousands Threatened By Super Stealthy Apache Backdoor

The “most sophisticated” backdoor ever has been found on hundreds of Apache webservers, avoiding detection with some advanced techniques, and potentially infecting thousands of web users with malware, security researchers have warned.

The eventual aim of the Apache backdoor, known as Linux/Cdorked.A, is to allow attackers to alter websites, so they redirect users to sites serving up the Blackhole exploit kit.

Backdoor stealth

But it is the myriad ways Linux/Cdorked.A hides itself from detection software that has impressed security professionals.

Researchers from ESET and Sucuri found the backdoor replaces the “httpd” file, the daemon or service used by Apache, with malicious code. No other traces are left on the hard drive of compromised hosts.

Linux/Cdorked does not write any files on the disk, instead allocating around six megabytes of shared memory for its state and configuration information.

“All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis,” said Pierre-Marc Bureau, ESET security intelligence programme manager.

“The backdoor’s configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools,” added  Righard Zwienenberg, senior researcher fellow at ESET.

“The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex.”

As a result, the appearance of the infected site does not change, but the attackers can set requests to redirect users to infected sites.

After redirects take place, a cookie is installed in the user’s browser, checking if the URL or server name contains strings that could hint the user is an administrator. This is most likely done to ensure admins are not alerted to malicious activity, ESET said.

It appears the threat affects only those Apache servers run by the cPanel hosting control panel.

For information on how to locate and remove the backdoor, head to the ESET website.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

6 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

7 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

8 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

8 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

9 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

9 hours ago