Posts Tagged ‘Apache’

Cyber criminals offer malware for Nginx, Apache Web servers

Thursday, December 26th, 2013

A new malware program that functions as a module for the Apache and Nginx Web servers is being sold on cybercrime forums, according to researchers from security firm IntelCrawler.

The malware is called Effusion and according to the sales pitch seen by IntelCrawler, a start-up firm based in Los Angeles that specializes in cybercrime intelligence, it can inject code in real time into websites hosted on the compromised Web servers. By injecting content into a website, attackers can redirect visitors to exploits or launch social engineering attacks.

The Effusion module works with Nginx from version 0.7 up to the latest stable version, 1.4.4, and with Apache running on 32- and 64-bit versions of Linux and FreeBSD. ModulModules extend Apache’s and Nginx’s core functionality.

The malware can inject rogue code into static content of certain MIME types, including JavaScript and HTML, and in PHP templates at the start, end or after a specific tag. Attackers can push configuration updates and control code modifications remotely.

Filters can also be used to restrict when the injection happens. Effusion supports filtering by referrer header, which can be used to target only visitors that come from specific websites; by User-Agent header, which can be used to target users of specific browsers and by IP address or address range.

The malware can check whether it has root access, something that could allow the attackers greater control over the underlying system. It can also delete the injected content when suspicious processes are detected in order to hide itself, Andrey Komarov, IntelCrawler’s CEO, said via email.

The Effusion authors offer precompiled builds for $2,500 per build and plan to vet buyers, Komarov said. This suggests they’re interested in selling it only to a limited number of people so they can continue to offer support and develop the malware at the same time, he said.

While this is not the first malware to function as an Apache module, it is one of the very few so far to also target Nginx, a high-performance Web server that has grown considerably in popularity in recent years.

According to a December Web server survey by Internet services firm Netcraft, Nginx is the third most widely used Web server software after Apache and Microsoft IIS, and has a market share of over 14%. Because it’s built to handle high numbers of concurrent connections, it is used to host heavily trafficked websites including Netflix, Hulu, Pinterest, CloudFlare, Airbnb,, GitHub and SoundCloud.


Cisco fixes serious security flaws in networking, communications products

Thursday, October 24th, 2013

Cisco Systems released software security updates Wednesday to address denial-of-service and arbitrary command execution vulnerabilities in several products, including a known flaw in the Apache Struts development framework used by some of them.

The company released new versions of Cisco IOS XR Software to fix an issue with handling fragmented packets that can be exploited to trigger a denial-of-service condition on various Cisco CRS Route Processor cards. The affected cards and the patched software versions available for them are listed in a Cisco advisory.

The company also released security updates for Cisco Identity Services Engine (ISE), a security policy management platform for wired, wireless, and VPN connections. The updates fix a vulnerability that could be exploited by authenticated remote attackers to execute arbitrary commands on the underlying operating system and a separate vulnerability that could allow attackers to bypass authentication and download the product’s configuration or other sensitive information, including administrative credentials.

Cisco also released updates that fix a known Apache Struts vulnerability in several of its products, including ISE. Apache Struts is a popular open-source framework for developing Java-based Web applications.

The vulnerability, identified as CVE-2013-2251, is located in Struts’ DefaultActionMapper component and was patched by Apache in Struts version which was released in July.

The new Cisco updates integrate that patch into the Struts version used by Cisco Business Edition 3000, Cisco Identity Services Engine, Cisco Media Experience Engine (MXE) 3500 Series and Cisco Unified SIP Proxy.

“The impact of this vulnerability on Cisco products varies depending on the affected product,” Cisco said in an advisory. “Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system.”

No authentication is needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy, but the flaw’s successful exploitation on Cisco Business Edition 3000 requires the attacker to have valid credentials or trick a user with valid credentials into executing a malicious URL, the company said.

“Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product,” Cisco said.

Security researchers from Trend Micro reported in August that Chinese hackers are attacking servers running Apache Struts applications by using an automated tool that exploits several Apache Struts remote command execution vulnerabilities, including CVE-2013-2251.

The existence of an attack tool in the cybercriminal underground for exploiting Struts vulnerabilities increases the risk for organizations using the affected Cisco products.

In addition, since patching CVE-2013-2251 the Apache Struts developers have further hardened the DefaultActionMapper component in more recent releases.

Struts version, which was released in September, made some changes to the DefaultActionMapper “action:” prefix that’s used to attach navigational information to buttons within forms in order to mitigate an issue that could be exploited to circumvent security constraints. The issue has been assigned the CVE-2013-4310 identifier.

Struts, released on Oct. 17, turned off support for the “action:” prefix by default and added two new settings called “struts.mapper.action.prefix.enabled” and “struts.mapper.action.prefix.crossNamespaces” that can be used to better control the behavior of DefaultActionMapper.

The Struts developers said that upgrading to Struts is strongly recommended, but held back on releasing more details about CVE-2013-4310 until the patch is widely adopted.

It’s not clear when or if Cisco will patch CVE-2013-4310 in its products, giving that the fix appears to involve disabling support for the “action:” prefix. If the Struts applications in those products use the “action:” prefix the company might need to rework some of their code.


U.S. Dept. of Energy reports second security breach

Friday, August 16th, 2013

For the second time this year, the U.S. Department of Energy is recovering from a data breach involving the personally identifying information of federal employees

In a letter sent to employees on Wednesday, the U.S. Department of Energy (DOE) disclosed a security incident, which resulted in the loss of personally identifying information (PII) to unauthorized individuals. This is the second time this year such a breach has occurred. The letter, obtained by the Wall Street Journal, doesn’t identify the root cause of the incident, or provide much detail, other than the fact that no classified data was lost.

“The Department of Energy has confirmed a recent cyber incident that occurred at the end of July and resulted in the unauthorized disclosure of federal employee Personally Identifiable Information (PII)…We believe about 14,000 past and current DOE employees PII may have been affected,” the letter states in part.

Back in February, the DOE disclosed a similar incident where PII was lost. In addition, that incident also included the compromise of 14 servers and 20 workstations. At the time, officials blamed Chinese hackers, but two weeks earlier a group calling itself Parastoo (a common girls name in Farsi) claimed they were behind the breach, posting data allegedly taken from a DOE webserver (including a copy of /etc/passwd and Apache config files) as proof.

In this most recent case, the motive behind the attack may be something simple, such as data harvesting, since PII is rather valuable to criminals. Or it may be something else entirely.

“In some cases, attackers target information about employees because they can use that information to impersonate those employees in spear phishing attacks or compromise their access credentials,” Tom Cross, director of security research at Lancope, told CSO in an email.

“Sometimes, the attackers log right in using employees access credentials and then proceed to access information on the network without using any custom malware. A defensive strategy that focuses exclusively on detecting exploits and malware cannot detect this sort of unauthorized activity.”

In related news, defense contractor Northrop Grumman disclosed a similar data breach, involving the loss of PII related to employees who applied to the Balkans Linguist Support Program.

According to the notification letter, Northrop says the breach, which occurred between late November 2012 and May 2013, targeted a database housing applicant and participant data for the program. The data that was exposed includes names, date of births, blood types, Social Security Numbers, other government-issued identification numbers, and contact information.


Rampant Apache website attack hits visitors with highly malicious software

Friday, July 5th, 2013

Darkleech is back. Or maybe it never left. Either way, it’s a growing problem.

A campaign that forces sites running the Apache Web server to install highly malicious software on visitor’s PCs has compromised more than 40,000 Web addresses in the past nine months, 15,000 of them in the month of May alone.

The figures, published Tuesday by researchers from antivirus provider Eset, are the latest indication that an attack on websites running the Internet’s most popular Web server continues to build steam. Known as Darkleech, the rogue Apache module gets installed on compromised servers and turns legitimate websites into online mine fields that expose unsuspecting visitors to a host of dangerous exploits. More than 40,000 domains and website IPs have been commandeered since October, 15,000 of which were active at the same time in May, 2013 alone. In just the last week, Eset has detected at least 270 different websites exposing users to attacks.

Sites that come under the spell of Darkleech redirect certain visitors to malicious websites that host attack code spawned by the notorious Blackhole exploit kit. The fee-based package available in underground forums makes it easy for novices to exploit vulnerabilities in browsers and browser plug-ins. Web visitors who haven’t installed updates patching those flaws get silently infected with a variety of dangerous malware titles. Among the malware that Darkleech pushes is a “Nymaim” piece of ransomware that demands a $300 payment to unlock encrypted files from a victim’s machine. Other malware titles that get installed include Pony Loader and Sirefef.

“This campaign has been going on for a very long time,” Eset malware researcher Sébastien Duquette wrote in Tuesday’s blog post. “Our data shows that the Blackhole instance has been active for more than two years, since at least February 2011.”

Eset’s research is consistent with April coverage from Ars reporting that an estimated 20,000 Apache websites were infected by Darkleech in just a few weeks’ time. Sites operated by The Los Angeles Times, Seagate, and other reputable companies were among the casualties. Like Ars, Eset found the Web malware employs a detailed array of conditions to determine when to inject malicious links into the pages shown to end users. Among other things, Eset wrote that users will only be attacked when their browser reports they’re using Microsoft’s Internet Explorer browser or Oracle’s Java plugin. Eset’s findings are also consistent with recent figures from Google showing that the vast majority of malware attacks are spawned from legitimate sites that have been hacked.

The chosen few

Darkleech has also been known to pass over visitors using IP addresses belonging to security and hosting firms, people who have recently been attacked, and those who don’t access the hacked pages from specific search queries. By being highly selective in targeting potential victims, Darkleech developers make it harder for security defenders to unravel the campaign and block infections. Visitors who are selected are served an HTML-based iframe tag in a Web page from the legitimate site that has been compromised. The iframe exploits code from a malicious site under the control of attackers.

Darkleech, which also goes by the name Linux/Charpoy, is able to tailor exploits to the geographic region of the infected victim as well. Ransomware that infects US-based visitors, for instance, purports to come from the FBI, while ransomware hitting people in other countries is adapted accordingly.

In October, Darkleech underwent a makeover that changed the format of the URL in the malicious iframe so it’s harder to detect. It works by decrypting four different text strings and then calculating a cryptographic hash to determine if a visitor should be served an iframe. The randomly generated link that leads to the attack site is extremely hard to detect as malicious except for its telltale ending “q.php.”

As has been the case with previous investigations, researchers still don’t know how the Darkleech module takes initial hold of the sites it infects. Speculation has surfaced that the servers are compromised by exploiting undocumented vulnerabilities in the CPanel or Plesk tools administrators used to remotely manage sites, but there’s no hard evidence to back up that theory. Researchers also reckon sites may be taken over by cracking administrative passwords or by exploiting security flaws in Linux, Apache, or another piece of commonly used software. Darkleech in part uses CPanel and Plesk servers to handle certain aspects of the iframe injection and payload delivery, but other parts rely on the Apache server itself, Pierre-Marc Bureau, Eset’s security intelligence program manager, told Ars.

Because there are usually many websites hosted on a single server, there’s often multiple domain names pointing to a single IP address, so Eset researchers are unable to determine just how many Apache-powered websites are infected by Darkleech. The total is “probably lower” than the 40,000 estimate, Bureau said.

The Eset report comes two weeks after researchers from security firm Sucuri unearthed a new malicious module infecting Apache servers. They’re still not sure if the plug-in is a newer, stealthier version of Darkleech or a completely different tool developed by a rival crime group. Researchers in recent months have uncovered a third piece of malware that causes websites to expose visitors to attacks. Known as Linux/Cdorked, it targets sites running the Apache, nginx, and Lighttpd Web servers and, as of May, had exposed almost 100,000 end-users running Eset software alone to attack.

Only you can prevent Web server hacks

With so many threats successfully targeting mainstream Web servers, administrators should take care to lock down their systems by following good security hygiene. One step is to ensure all default passwords have been changed to a one that’s long and randomly generated. Also key is to make sure all software components—including the operating system and all applications—are fully up to date. It’s also not a bad idea to use a website security scanner from time to time and to occasionally check the cryptographic hash of the HTTP daemon of the Web server to make sure it hasn’t been tampered with.


Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too

Thursday, May 9th, 2013

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet’s most popular Web servers to push potent malware exploits on visitors.

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.

“This is the first time I’ve seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx,” Pierre-Marc Bureau, Eset’s security intelligence program manager, told Ars. “Somebody is running an operation that can victimize various Web servers and in my opinion this is the first time that has ever happened. This is a stealthy, sophisticated, and streamlined distribution mechanism for getting malware on end users’ computers.”

Previously, Cdorked was known to infect only sites that ran on Apache, which remains by far the Internet’s most popular Web server application. According to this month’s server survey from Netcraft, Apache and nginx are the No. 1 and No. 3 packages respectively, with about 53 percent and 16 percent of websites. The survey didn’t rank Lighttpd, a Web server designed for speed-critical sites that’s used by sites including Meebo, YouTube, and Wikimedia, according to Wikipedia. The report of the susceptibility of nginx came as its maintainers issued an update that patches a remote-code execution vulnerability in the open-source Web server. (There’s no evidence the vulnerability is related to the Cdorked infection.)

Linux/Cdorked.A is one of at least two backdoors recently observed causing trusted and often popular websites to push exploits that attempt to surreptitiously install malware on visitors’ computers. Like Darkleech, a backdoor estimated to have infected 20,000 Apache websites, it redirects users to a series of third-party sites that host malicious code from the Blackhole exploit kit. A recent blog post from security firm Invincea reports another rash of website hijackings, but they appear to be unrelated to Cdorked, and there’s no indication Darkleech is involved, either.

Also similar to Darkleech, the Cdorked backdoor makes it extremely difficult for end users and even security researchers to notice their computers are being attacked. Users who speak Russian, Ukrainian, and at least four other languages are never exposed, and people who have already been attacked in recent days are also spared. Common configurations include a large list of IP addresses that are also blocked from exploits.

“We believe the operators behind this malware campaign are making significant efforts to keep their operation under the radar and to hinder monitoring efforts as much as possible,” Eset researcher Marc-Etienne M.Léveillé wrote in a blog post published Tuesday. “For them, not being detected seems to be a priority over infecting as many victims as possible.”

Cdorked-infected servers are also advanced enough to distinguish among different computing platforms used by end users visiting infected sites. Those using Windows machines are directed to sites that mostly host exploits from Blackhole. People using Apple iPads or iPhones are redirected to porn sites that may also be hosting malicious code. Cdorked also stores most of its inner workings in a server’s shared memory, making it hard for some admins to know their sites are infected. Compromised systems can receive up to 70 different encrypted commands, a number that gives attackers fairly granular control that can be remotely and stealthily invoked.

In another testament to the ambition of its operators, Cdorked relies on compromised domain name system servers to resolve the IP addresses of redirected sites. The use of “trojanized DNS server binaries” adds another layer of obscurity to the attacks, since they make it easier for attackers to serve different sites to different end users.

“They are using the compromised DNS server to very accurately filter out who is going to visit the next stage Web server,” Bureau said in an interview. “This means, for example, that security researchers will have a very hard time being served the same content as a victim. It makes the investigation and tracking this operation harder. They are trying to control every step along the way to make every visit very traceable but also very hard to recreate.”

Researchers still don’t know how servers are being infected with Cdorked. Because compromised machines are running a variety of administration controls, cPanel and competing software aren’t obvious suspects. Cdorked doesn’t have the ability to spread by itself and doesn’t exploit a vulnerability in any other specific piece of software, either.

Readers who want to ensure their websites aren’t infected should use the rpm –verify command to see if the HTTP daemon they use has been altered. Eset researchers have also released this free python script (zip file) to examine a server’s shared memory for signs it is under the control of Cdorked.

Bureau said he believes Cdorked and Darkleech are two competing toolkits for exploiting Web servers. Their prevalence, combined with Invincea’s discovery of popular websites also exposing visitors to malware attacks, suggests exploits are expanding beyond the traditional base of machines running Microsoft-based software.

“A couple years ago malware against the Linux operating system was really in the age of its proof of concept,” he said. “Whenever we would discover something everybody would say: ‘It’s not really in wild. It’s just somebody trying to prove a point.’ Now the fact that we see so many instances of infected Web servers out there really shows we’re past the era of the proof of concept. Now serious operators are making serious money by victimizing these web servers.”


Attack hitting Apache websites is invisible to the naked eye

Monday, April 29th, 2013

Newly discovered Linux/Cdorked evades detection by running in shared memory.

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle’s Java, Adobe’s Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they’re infected.

“Unless a person really has some deep-dive knowledge on the incident response team, the first thing they’re going to do is kill the evidence,” Cameron Camp, a security researcher at Eset North America, told Ars. “If you run a large hosting company you’re not going to send a guy in who’s going to do memory dumps, you’re going to go on their with your standard tool sets and destroy the evidence.”

Linux/Cdorked.A leaves no traces of compromised hosts on the hard drive other than its modified HTTP daemon binary. Its configuration is delivered by the attacker through obfuscated HTTP commands that aren’t logged by normal Apache systems. All attacker-controlled data is encrypted. Those measures make it all but impossible for administrators to know anything is amiss unless they employ special methods to peer deep inside an infected machine. The backdoor analyzed by Eset was programmed to receive 70 different encrypted commands, a number that could give attackers fairly granular control. Attackers can invoke the commands by manipulating the URLs sent to an infected website.

“The thing is receiving commands,” Camp said. “That means that suddenly you have a new vector that is difficult to detect but is receiving commands. Blackhole is a tricky piece of malware anyway. Now suddenly you have a slick delivery method.”

In addition to hiding evidence in memory, the backdoor is programmed to mask its malicious behavior in other ways. End users who request addresses that contain “adm,” “webmaster,” “support,” and similar words often used to denote special administrator webpages aren’t exposed to the client exploits. Also, to make detection harder, users who have previously been attacked are not exposed in the future.

It remains unclear what the precise relationship is between Linux/Cdorked.A and Darkleech, the Apache plug-in module conservatively estimated to have hijacked at least 20,000 sites. It’s possible they’re the same module, different versions of the same module, or different modules that both expose end users to Blackhole exploits. It also remains unclear exactly how legitimate websites are coming under the spell of the malicious plugins. While researchers from Sucuri speculate it takes hold after attackers brute-force the secure-shell access used by administrators, a researcher from Cisco Systems said he found evidence that vulnerable configurations of the Plesk control panel are being exploited to spread Darkleech. Other researchers who have investigated the ongoing attack in the past six months include AV provider Sophos and those from the Malware Must Die blog.

The malicious Apache modules are proving difficult to disinfect. Many of the modules take control of the secure shell mechanism that legitimate administrators use to make technical changes and update content to a site. That means attackers often regain control of machines that are only partially disinfected. The larger problem, of course, is that the highly sophisticated behavior of the infections makes them extremely hard to detect.

Eset researchers have released a tool that can be used by administrators who suspect their machine is infected with Linux/Cdorked.A. The free python script examines the shared memory of a sever running Apache and looks for commands issued by the stealthy backdoor. Eset’s cloud-based Livegrid system has already detected hundreds of servers that are infected. Because Livegrid works only with a small percentage of machines on the Internet, the number of compromised Apache servers is presumed to be much higher.


Ongoing malware attack targeting Apache hijacks 20,000 sites

Tuesday, April 2nd, 2013

Mysterious “Darkleech” exposes visitors to potent malware exploits.

Tens of thousands of websites, some operated by The Los Angeles Times, Seagate, and other reputable companies, have recently come under the spell of “Darkleech,” a mysterious exploitation toolkit that exposes visitors to potent malware attacks.

The ongoing attacks, estimated to have infected 20,000 websites in the past few weeks alone, are significant because of their success in targeting Apache, by far the Internet’s most popular Web server software. Once it takes hold, Darkleech injects invisible code into webpages, which in turn surreptitiously opens a connection that exposes visitors to malicious third-party websites, researchers said. Although the attacks have been active since at least August, no one has been able to positively identify the weakness attackers are using to commandeer the Apache-based machines. Vulnerabilities in Plesk, Cpanel, or other software used to administer websites is one possibility, but researchers aren’t ruling out the possibility of password cracking, social engineering, or attacks that exploit unknown bugs in frequently used applications and OSes.

Researchers also don’t know precisely how many sites have been infected by Darkleech. The server malware employs a sophisticated array of conditions to determine when to inject malicious links into the webpages shown to end users. Visitors using IP addresses belonging to security and hosting firms are passed over, as are people who have recently been attacked or who don’t access the pages from specific search queries. The ability of Darkleech to inject unique links on the fly is also hindering research into the elusive infection toolkit.

“Given that these are dynamically generated, there would be no viable means to do a search to ferret them out on Google, etc.,” Mary Landesman a senior security researcher for Cisco Systems’ TRAC team, told Ars. “Unfortunately, the nature of the compromise coupled with the sophisticated conditional criteria presents several challenges.”

The injected HTML iframe tag is usually constructed as IP address/hex/q.php. Sites that deliver such iframes that aren’t visible within the HTML source are likely compromised by Darkleech. Special “regular expression” searches such as this one helped Landesman ferret out reported iframes used in these attacks. Note that while the iframe reference is formed as IP/hex/q.php, the malware delivery is formed as IP/hex/hex/q.php.

In active development

With the help of Cisco Security Engineer Gregg Conklin, Landesman observed Darkleech infections on almost 2,000 Web host servers during the month of February and the first two weeks of March. The servers were located in 48 countries, with the highest concentrations in the US, UK, and Germany. Assuming the typical webserver involved hosted an average of 10 sites, that leaves the possibility that 20,000 sites were infected over that period. The attacks were documented as early as August on researcher Denis Sinegubko’s Unmask Parasites blog. They were observed infecting the LA Times website in February and the blog of hard drive manufacturer Seagate last month, an indication the attacks are ongoing. Landesman said the Seagate infection affected, which was hosted by Media Temple, began no later than February 12, and was active through March 18. Representatives for both Seagate and the LA Times said the sites were disinfected once the compromises came to light.

“I regularly receive e-mails and comments to my blog posts about new cases,” Sinegubko told Ars last week. “Sometimes it’s a shared server with hundreds or thousands of sites on it. Sometimes it’s a dedicated server with some heavy-traffic site.”

Referring to the rogue Apache modules that are injected into infected sites, he added, “Since late 2012 people have sent me new versions of the malicious modules, so this malware is in active development, which means that it pays off well and the number of infected servers can be high (especially given the selectivity of the malware that prefers to stay under the radar rather than infecting every single visitor).”

Landesman picked a random sample of 1,239 compromised websites and found all were running Apache version 2.2.22 or higher, mostly on a variety of Linux distributions. According to recent blog posts published here and here by researchers from security firm Securi, Darkleech uses rogue Apache modules to inject malicious payloads into the webpages of the sites it infects and to maintain control of compromised systems. Disinfecting Web servers can prove extremely difficult since the malware takes control of the secure shell (SSH) mechanism that legitimate administrators use to make technical changes and update content to a site.

“We have noticed that they are modifying all SSH binaries and inserting a version that gives them full access back to the server,” Securi CTO Daniel Cid wrote in January. “The modifications not only allow them to remote into the server bypassing existing authentication controls, but also allow them to steal all SSH authentications and push it to their remote servers.”

Researchers from a variety of other organizations, including antivirus provider Sophos and the Malware Must Die blog, have also stumbled on servers infected by Darkleech. They note the third-party attack sites host malicious code from the Blackhole exploit kit, a suite of tools that targets vulnerabilities in Oracle’s Java, Adobe’s Flash and Reader, and a variety of other popular client software.

“It looks like the attackers were beforehand well-prepared with some penetration method to gain web exploitation which were used to gain shell access and did the privilege escalation unto root,” the writer of the latter blog post wrote last week, adding that he wasn’t at liberty to discuss the precise method. “Since the root [was] gained in all infected servers, there is no way we can trust the host or its credentials anymore.”

The writer went on to recommend that admins take infected servers offline and use backup data to reinstall the software. He also suggested that users take care to change all server credentials, since there’s a strong chance all previous administrator logins have been compromised.

Déjà vu

The Apache server compromise in many ways resembles a mass infection from 2008 that also used tens of thousands of sites to silently expose visitors to malware attacks. The challenge white hats often face in fighting these hacks is that each researcher sees only a small part of the overall damage. Because the server malware is designed to conceal itself and because so many individual systems are affected, it can be next to impossible for any one person to gain a true appreciation for the scope of attack.

Since there’s not yet consensus among researchers about exactly how Darkleech takes hold of infected systems, it’s still unclear exactly how to protect them. And as already noted, disinfecting systems can also prove challenging since backdoor and possibly even rootkit functionality may allow attackers to maintain control of servers even after the malicious modules are uninstalled. Landesman has published her own blog post about the infection here.

“This is a latent infection,” Sinegubko wrote. “It hides from server and site admins using blacklists and IPs and low-level server APIs (something that normal site scripts don’t have access to). “It hides from returning visitors. It constantly changes domains so you can’t reduce it to the facts were some particular domain was involved. I’m still waiting for someone to share any reliable information about the attack vector.”