02 May 2013
A new wave of attacks targeting Apache servers running on Linux has been spotted in the wild.
The culprit, a piece of malware known as Linux/Cdorked.A, sneaks onto the host machine and modifies the HTTP daemon binary file, then allocates shared memory where it stores configuration files. It then tries to open a reverse connection shell to be used later by its masters to push commands to the compromised server.
Depending on commands, regular users of sites hosted on the infected servers are redirected to malicious pages rigged with the notorious Blackhole exploit kit. The redirect usually takes place only once per IP, so the same user visiting different pages will not get redirected twice.
“The compromised binary doesn’t change anything in the site in terms of utilization or how the sites looks, however on some random requests (once per day per IP address) instead of just displaying the content, it also adds a malicious redirect. That causes the browser to load content from what seems to be random domains,” reads the advisory posted on the Sucuri blog.
This highly sophisticated backdoor takes all precautions not to be detected: it encrypts traffic between the server and the command and control center to prevent traffic analysis, and it runs mostly in memory to deter forensic analysis.