Thousands Threatened By Super Stealthy Apache Backdoor

The “most sophisticated” backdoor ever has been found on hundreds of Apache webservers, avoiding detection with some advanced techniques, and potentially infecting thousands of web users with malware, security researchers have warned.

The eventual aim of the Apache backdoor, known as Linux/Cdorked.A, is to allow attackers to alter websites, so they redirect users to sites serving up the Blackhole exploit kit.

Backdoor stealth

But it is the myriad ways Linux/Cdorked.A hides itself from detection software that has impressed security professionals.

Researchers from ESET and Sucuri found the backdoor replaces the “httpd” file, the daemon or service used by Apache, with malicious code. No other traces are left on the hard drive of compromised hosts.

Linux/Cdorked does not write any files on the disk, instead allocating around six megabytes of shared memory for its state and configuration information.

“All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis,” said Pierre-Marc Bureau, ESET security intelligence programme manager.

“The backdoor’s configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools,” added  Righard Zwienenberg, senior researcher fellow at ESET.

“The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex.”

As a result, the appearance of the infected site does not change, but the attackers can set requests to redirect users to infected sites.

After redirects take place, a cookie is installed in the user’s browser, checking if the URL or server name contains strings that could hint the user is an administrator. This is most likely done to ensure admins are not alerted to malicious activity, ESET said.

It appears the threat affects only those Apache servers run by the cPanel hosting control panel.

For information on how to locate and remove the backdoor, head to the ESET website.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

4 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

7 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

8 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

9 hours ago