Posted By: ITWiser Webmaster - Yorkshire's IT Specialists
Attack on Apache Opens up Malware Risk
Apache, the world’s most popular HTTP server software, serving over 63 percent of all active websites, has been attacked by malware that is increasingly showing up in the wild, according to a new report by The Register.
Dubbed Linux/Cdorked A, the malware has been revealed by welivesecurity as a “sophisticated and stealthy backdoor meant to drive traffic to malicious websites,” and functions as a modified httpd file, redirecting HTTP requests to the now infamous Blackhole exploit packs that have mostly affected the Russian region over the past couple of years.
The Register reports that victims are being redirected to what appears to be the original URL, with base64 code added so that users are not redirected a second time. Linux/Cdorked A is has been heralded by welivesecurity as “one of the most sophisticated Apache backdoors we have seen so far,” affecting hundreds of servers and leaving no trace on a hard drive other than the modified httpd file. In fact, everything else that exists does so in just 6 MB of shared memory, making analysis difficult. Configuration is being pushed through obfuscated HTTP requests not logged by Apache, meaning no command and control information that can be used for analysis can be found.
23 two-character hex bytes have been identified by analysis thus far and it is believed that redirected URLs are being sent to the back door using a method whereby those commands are invoked by a POST command to a URL that includes a “SECID=” cookie header. The Reg lists other commands capabilities as setting redirection conditions, whitelisting user agents, and blacklisting IP addresses to avoid detection
System administrators are being urged to check servers and verify that they are not affected by this threat and welivesecurity has published a Python tool to help users check configurations.
To the average office computer user, all of this can seem terribly complicated; however, it is important to be vigilant where any form of malware is concerned. To protect your systems from this, and other, malware threats, you should ensure that your office computers are protected with Cloud Web Security.
ITWiser’s Cloud Web Security solution employs state-of-the-art antivirus, antiphishing, and an antispyware and malware engine to provide unparalleled protection from malicious content. It also allows the monitoring of staff internet usage to prevent employees from accessing unnecessary websites.