Apache “Darkleech” Compromises

Started by Tìtstewan, April 03, 2013, 10:48:45 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Tìtstewan

Apache "Darkleech" Compromises

Dan Goodin, editor at Ars Technica, has been tracking and compiling info on an elusive series of website
compromises that could be impacting tens of thousands of otherwise perfectly legitimate sites. While
various researchers have reported various segments of the attacks, until Dan's article, no one had
connected the dots and linked them all together.

Dubbed "Darkleech," thousands of Web servers across the globe running Apache 2.2.2 and above
are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious
Apache modules. These modules are then used to turn hosted sites into attack sites, dynamically injecting
iframes in real-time, only at the moment of visit.

Because the iframes are dynamically injected only when the pages are accessed, this makes discovery
and remediation particularly difficult. Further, the attackers employ a sophisticated array of conditional
criteria to avoid detection:
   
  • Checking IP addresses and blacklisting security researchers, site owners, and the compromised hosting providers;
  • Checking User Agents to target specific operating systems (to date, Windows systems);
  • Blacklisting search engine spiders;
  • Checking cookies to "wait list" recent visitors;
  • Checking referrer URLs to ensure visitor is coming in via valid search engine results.

When the iframe is injected on the page, the convention used for the reference link in the
injected iframe is IP/hex/q.php. For example:

129.121.179.168/d42ee14e4af7a0a7b1033b8f8f1eb18a/q.php

The nature of the compromise coupled with the sophisticated conditional criteria presents
several challenges:
   
  • Website owners/operators will not be able to detect or clean the compromise as (a) it is not actually on their website, and (b) most will not have root-level access to the webserver;
  • Even if website owners/operators suspect the host server may be the source, they would still need to convince the hosting provider, who may discount their report;
  • Even if the hosting provider is responsive, the malicious Apache modules and associated SSHD backdoor may be difficult to ferret out, and the exact method will vary depending on server configuration;
  • Since SSHD is compromised, remediation of the attack and preventing further occurrences may require considerable procedural changes that, if not carried out properly, could cause a privilege lockout for valid administrators or be ineffective and lead to continued compromise.

The magnitude of the problem becomes clear when one considers how widespread these attacks are. The following chart illustrates the geographic
location of infected host servers observed from February 1–March 15, 2013.



Source: [Cisco Blogs]

-| Na'vi Vocab + Audio | Na'viteri as one HTML file | FAQ | Useful Links for Beginners |-
-| Kem si fu kem rä'ä si, ke lu tìfmi. |-

Human No More

I've heard of this referred to as cdorked as well - I've heard that in some cases, the vector is just root SSH brute force though, which any competently set up server is immune to - although of course, nothing stops there being others too. The main interesting part is that it leaves no signature on disk other than a modified apache/nginx/lighttpd binary (IIRC, it started off affecting apache but had been observed on other servers as well).
"I can barely remember my old life. I don't know who I am any more."

HNM, not 'Human' :)

Na'vi tattoo:
1 | 2 (finished) | 3
ToS: Human No More
dA
Personal site coming soon(ish

"God was invented to explain mystery. God is always invented to explain those things that you do not understand."
- Richard P. Feynman