Super Stealthy Backdoor Spreads To Hit Hundreds Of Thousands Of Web Users

Super Stealthy Backdoor Spreads To Hit Hundreds Of Thousands Of Web Users

One of the most sophisticated web server backdoors ever seen has spread fast and is now sitting on hundreds of webservers running some of the most popular websites in the world, researchers have warned.

One expert told TechWeekEurope the Cdorked backdoor, brought to light in April, is almost as smart as Stuxnet, the malware which disrupted Iranian nuclear facilities, highlighting the severity of the threat.

ESET said it had uncovered 400 webservers infected with Linux/Cdorked.A, 50 of which are amongst the top 100,000 most popular websites, according to the Alexa ranking service. The highest ranked site using an infected server was in the top 2,000.

Massive backdoor attack

The ultimate aim of the backdoor is to redirect users to websites, either to get them infected with malware using the Blackhole exploit kit, or to push them to porn sites where click fraud is in operation.

It was initially believed the backdoor affected Apache servers only, but it is now clear open source Lighttpd and nginx servers have been hit too. It is extremely rare to see malware capable of infecting numerous kinds of webserver.

Given ESET saw 100,000 users of its security products browsing infected websites due to Linux/Cdorked.A redirection, it is clear many more will have been touched by the malware, potentially millions.

ESET said it also believed Cdorked was even stealthier and more complex than it initially thought. The backdoor gives the attacker plenty of targeting ability, by using a range of blacklists and whitelists, which includes blacklists for certain languages, such as Japanese, Finnish and Russian.

It also keeps a list of IPs it has redirected with a timestamp, to avoid redirecting the same victim twice within a small period of time, which should help avoid detection. All of this remains in memory and is modified by the attacker through HTTP requests on the infected webserver. The only thing stored on the hard drive is the malicious code that replaces the “httpd” file, the daemon or service used by a webserver.

The attackers are doing all this to hide their activities, ESET believes. Righard Zwienenberg, senior research fellow at ESET, compared the malware to Stuxnet, believed to be the most sophisticated piece of malware ever created.

“When I look at it, it is almost as sophisticated as Stuxnet when it was first discovered,” Zwienenberg toldTechWeekEurope.

“The attackers are quite specific in what they block… we are still finding new things that are quite interesting that show this is really sophisticated malware.”

When asked why he thought it was close to the level of Stuxnet, he noted how the attackers’ infrastructure uses compromised DNS servers. Those who have access to DNS servers can refer anyone using those services, when they have a URL translated into an IP address, to a malicious website, regardless of whether they have visited a website running an infected server.

The compromised DNS servers also let the attackers ensure they are not sending victims to the same infected site twice – another clever way of obscuring their illicit activities.

“To be able to have Trojanised DNS servers, which are the backbone of routing on the Internet, you can control whatever people are seeing. It is scary because they could redirect you to your bank site,” Zwienenberg added.

The security firm also found specific redirections were configured for Apple iPad and iPhone users, who are being pushed to porno sites, most likely for click fraud reasons, given the locked down iOS model shouldn’t allow non-signed malware to get onto devices. That’s only if users haven’t jailbroken their devices, however.

“Many pornographic websites have automatic downloaders trying to get all kinds of dangerous content on your iPhone,” Zwienenberg said.

Visitors who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are sent on to sites serving up the Blackhole exploit kit.

Webserver admins have been advised to hunt for evidence of Cdorked, and ESET has published a tool to help locate the backdoor.

One big mystery remains: ESET has no idea how the backdoor got onto servers in the first place. The malware does not propagate by itself and it does not appear to exploit a vulnerability in webserver software.

Are you a security expert? Try the quiz!



by Janeth Kent Date: 09-05-2013 Apache backdoor Cdorked ESET Featured Malware Networking Security server webserver hits : 5060  
Janeth Kent

Janeth Kent

Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN AND DEVELOPMENT.


Related Posts

How to set up your own free web server with XAMPP

Nowadays anyone can create their own website easily and free of charge. Whether through a CMS (such as WordPress) or by hand with HTML, CSS and JavaScript, in a few…

The ultimate cybersecurity checklist for programmers

In today's digital age, cybersecurity has become an essential concern for programmers. With cyber threats on the rise, it is crucial for programmers to adopt robust security practices to protect…

Network attacks and how to avoid them

Nowadays it is impossible to list all the different types of attacks that can be carried out on a network, as in the world of security this varies continuously. We…

How To Use Varnish As A Highly Available Load Balancer On Ubuntu 20.04 With SSL

Load balancing with high availability can be tough to set up. Fortunately, Varnish HTTP Cache server provides a dead simple highly available load balancer that will also work as a…

6 Best Alternative Privacy Focused Browsers in 2021

In today's article we take a look at free private browsers which are relevant in 2021. We will compare their advantages and disadvantages, specs, etc. Let's get into it. What are alternative…

htaccess Rules to Help Protect from SQL Injections and XSS

This list of rules by no means is a sure bet to secure your web services, but it will help in preventing script-kiddings from doing some basic browsing around. MySQL injection…

Security of Internet providers: can we trust it?

This year has been a time of many changes. Now, more people are connected to the Internet through their home routers for teleworking, shopping, or leisure. This is where the…

Brief History of Biometric Authentication

These days, biometric authentication seems to be part of every little gadget or device we use. You’ve no doubt used it when logging onto your laptop, your tablet, or your…

A beginner’s guide to software vulnerabilities

What are software vulnerabilities The number of devices connected to the Internet is growing every day. And among those devices we find not only computers and smartphones, but also an ever-rising…

The BleedingTooth vulnerability and other Bluetooth security risks

Have you ever heard of BleedingTooth? And we do not mean the really disturbing looking mushroom which goes by this name and is totally real (we double checked) but one of…

Network and port scanning with Zenmap

This article goes out to all the computer nerds who are, when it comes to networking, more on the noob-side of the crowd. It does not have to be complicated…

Google Dorks: How to find interesting data and search like hacker

Go the words Google and Hacking together? Well if you thought that we will learn how to use hack Google, you might be wrong. But we can Use Google search engine…