A mysterious backdoor that has been used to drive traffic to malicious websites may be more widespread than previously thought, security researchers say, and it affects more web servers than just Apache.
The malware – which has been dubbed "Linux/Cdorked.A" or "Darkleech," depending whom you ask – was first spotted in the wild in late April, when it was thought to have infected hundreds of web sites running on the Apache server.
More recently, however, researchers have also found instances of the Lighttpd and Nginx web server daemons that had been similarly modified to include Cdorked code.
Compromised servers redirect incoming HTTP requests to sites hosting the infamous Blackhole exploit kit but leave no traces in the server logs to alert admins of the malicious activity. All of the data related to the backdoor is held in shared memory and never touches the disk.
Given that Apache, Lighttpd, and Nginx are all open source software, it's not surprising that the attackers behind Cdorked were able to insert their backdoor code into all three. What is curious, however, is how they managed to smuggle their Trojanized versions onto active servers – not to mention what they hope to achieve by it.
"We still don't know for sure how this malicious software was deployed on the web servers," ESET security researchers write in a blog post. "We believe the infection vector is not unique."
Initially, the researchers had thought that the attackers had managed to inject their malware onto servers by exploiting a vulnerability in cPanel, a remote administration tool that is popular among shared-hosting providers. As more and more compromised servers were discovered, however, researchers realized that only a fraction of them were running cPanel.
"One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software," the researchers write.
In other words, someone is replacing legitimate web server software with binaries containing the Cdorked backdoor, but exactly how they're doing it remains a mystery. They may even be using a different technique on each server.
Equally mysterious is just who the intended targets of the attack might be, and why. According to ESET, the Cdorked malware doesn't just blindly attack every web surfer who comes along. In fact, it operates according to a set of sophisticated yet bewildering rules.
For one thing, Cdorked keeps a list of IP addresses that have already been redirected to the Blackhole exploit, along with time stamps, to avoid redirecting the same user too often (and thus risk being detected).
The malware can also be configured with a whitelist of addresses (or address ranges) to always redirect, as well as a blacklist of addresses to never redirect. These lists can be programmed via a command and control server, again without any suspicious activity showing up in the server logs.
In one instance ESET examined, the lists were propagated with inexplicable patterns. About 50 per cent of all IPv4 addresses were blacklisted, apparently irrespective of their geographic location. At the same time, the exploit was disabled for all users whose browsers were configured to use the Belarusian, Finnish, Japanese, Kazakh, Russian, or Ukranian languages.
The systems targeted by the Cdorked malware were likewise baffling. Only users running Windows XP, Vista, or 7 were served the exploit, even though the latest Blackhole kit works on Windows 8, too. What's more, only Firefox and Internet Explorer users were attacked; users running Chrome, Opera, Safari, or other browsers were spared.
Even curiouser, a special exception was put in place for iPhone and iPad users. The Cdorked malware redirected their requests, but not to the exploit kit. Instead, they were shown a page advertising pornographic websites.
Despite these seeming incongruities, however, the ESET researchers believe Linux/Cdorked.A is a sophisticated, stealthy attack that has been underway since at least December 2012. They even believe it involves the use of compromised DNS servers to generate its redirects, something they describe as "unusual."
So far, they say, at least 400 webservers have been found to be infected with the malware, 50 of which were ranked in Alexa's top 10,000 most popular websites.
To avoid falling victim to the attack, users are advised to make sure that their browsers and plugins are all fully up-to-date – or, where possible, disabled – and to run antivirus software.
Server administrators who want to make sure their systems aren't compromised can download the latest version of ESET's detection tool, which has been updated to spot all known variants of the malware affecting Apache, Lighttpd, and Nginx. ®