The “most sophisticated” backdoor ever has been found on hundreds of Apache webservers, avoiding detection with some advanced techniques, and potentially infecting thousands of web users with malware, security researchers have warned.
The eventual aim of the Apache backdoor, known as Linux/Cdorked.A, is to allow attackers to alter websites, so they redirect users to sites serving up the Blackhole exploit kit.
But it is the myriad ways Linux/Cdorked.A hides itself from detection software that has impressed security professionals.
Researchers from ESET and Sucuri found the backdoor replaces the “httpd” file, the daemon or service used by Apache, with malicious code. No other traces are left on the hard drive of compromised hosts.
Linux/Cdorked does not write any files on the disk, instead allocating around six megabytes of shared memory for its state and configuration information.
“All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis,” said Pierre-Marc Bureau, ESET security intelligence programme manager.
“The backdoor’s configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools,” added Righard Zwienenberg, senior researcher fellow at ESET.
“The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex.”
As a result, the appearance of the infected site does not change, but the attackers can set requests to redirect users to infected sites.
After redirects take place, a cookie is installed in the user’s browser, checking if the URL or server name contains strings that could hint the user is an administrator. This is most likely done to ensure admins are not alerted to malicious activity, ESET said.
It appears the threat affects only those Apache servers run by the cPanel hosting control panel.
For information on how to locate and remove the backdoor, head to the ESET website.
Are you a security expert? Try our quiz!
Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…
Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…
OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…
New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…
US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…
Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…