One of the most sophisticated web server backdoors ever seen has spread fast and is now sitting on hundreds of webservers running some of the most popular websites in the world, researchers have warned.
One expert told TechWeekEurope the Cdorked backdoor, brought to light in April, is almost as smart as Stuxnet, the malware which disrupted Iranian nuclear facilities, highlighting the severity of the threat.
ESET said it had uncovered 400 webservers infected with Linux/Cdorked.A, 50 of which are amongst the top 100,000 most popular websites, according to the Alexa ranking service. The highest ranked site using an infected server was in the top 2,000.
Massive backdoor attack
The ultimate aim of the backdoor is to redirect users to websites, either to get them infected with malware using the Blackhole exploit kit, or to push them to porn sites where click fraud is in operation.
It was initially believed the backdoor affected Apache servers only, but it is now clear open source Lighttpd and nginx servers have been hit too. It is extremely rare to see malware capable of infecting numerous kinds of webserver.
Given ESET saw 100,000 users of its security products browsing infected websites due to Linux/Cdorked.A redirection, it is clear many more will have been touched by the malware, potentially millions.
ESET said it also believed Cdorked was even stealthier and more complex than it initially thought. The backdoor gives the attacker plenty of targeting ability, by using a range of blacklists and whitelists, which includes blacklists for certain languages, such as Japanese, Finnish and Russian.
It also keeps a list of IPs it has redirected with a timestamp, to avoid redirecting the same victim twice within a small period of time, which should help avoid detection. All of this remains in memory and is modified by the attacker through HTTP requests on the infected webserver. The only thing stored on the hard drive is the malicious code that replaces the “httpd” file, the daemon or service used by a webserver.
The attackers are doing all this to hide their activities, ESET believes. Righard Zwienenberg, senior research fellow at ESET, compared the malware to Stuxnet, believed to be the most sophisticated piece of malware ever created.
“When I look at it, it is almost as sophisticated as Stuxnet when it was first discovered,” Zwienenberg toldTechWeekEurope.
“The attackers are quite specific in what they block… we are still finding new things that are quite interesting that show this is really sophisticated malware.”
When asked why he thought it was close to the level of Stuxnet, he noted how the attackers’ infrastructure uses compromised DNS servers. Those who have access to DNS servers can refer anyone using those services, when they have a URL translated into an IP address, to a malicious website, regardless of whether they have visited a website running an infected server.
The compromised DNS servers also let the attackers ensure they are not sending victims to the same infected site twice – another clever way of obscuring their illicit activities.
“To be able to have Trojanised DNS servers, which are the backbone of routing on the Internet, you can control whatever people are seeing. It is scary because they could redirect you to your bank site,” Zwienenberg added.
The security firm also found specific redirections were configured for Apple iPad and iPhone users, who are being pushed to porno sites, most likely for click fraud reasons, given the locked down iOS model shouldn’t allow non-signed malware to get onto devices. That’s only if users haven’t jailbroken their devices, however.
“Many pornographic websites have automatic downloaders trying to get all kinds of dangerous content on your iPhone,” Zwienenberg said.
Visitors who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are sent on to sites serving up the Blackhole exploit kit.
Webserver admins have been advised to hunt for evidence of Cdorked, and ESET has published a tool to help locate the backdoor.
One big mystery remains: ESET has no idea how the backdoor got onto servers in the first place. The malware does not propagate by itself and it does not appear to exploit a vulnerability in webserver software.
We are going to explain how to block any website with a password from your browser, and for this purpose we are going to use an extension called Block Site.…
We use our own and third-party cookies to improve our services, compile statistical information and analyze your browsing habits. This allows us to personalize the content we offer and to show you advertisements related to your preferences. By clicking "Accept all" you agree to the storage of cookies on your device to improve website navigation, analyse traffic and assist our marketing activities. You can also select "System Cookies Only" to accept only the cookies required for the website to function, or you can select the cookies you wish to activate by clicking on "settings".
These cookies are necessary for the website to function and cannot be disabled on our systems. They are generally only set in response to your actions in requesting services, such as setting your privacy preferences, logging in or completing forms. You can set your browser to block or alert you to these cookies, but some areas of the site will not work. These cookies do not store any personally identifiable information
These cookies allow us to count visits and traffic sources so that we can assess the performance of our site and improve it. They help us know which pages are the most or least visited, and how visitors navigate the site. All information collected by these cookies is aggregated and therefore anonymous. If you do not allow these cookies to be used, we will not know when you visited our site and will not be able to assess whether it worked properly
These cookies allow the website to provide better functionality and customization. They may be set by our company or by external providers whose services we have added to our pages. If you do not allow these cookies to be used, some of these services may not function properly
These cookies may be set through our site by our advertising partners. They may be used by those companies to profile your interests and display relevant ads on other sites. They do not directly store personal information, but are based on the unique identification of your browser and Internet device. If you do not allow these cookies to be used, you will see less targeted advertising