Super Stealthy Backdoor Spreads to Hit Hundreds of Thousands of Web Users

Super Stealthy Backdoor Spreads To Hit Hundreds Of Thousands Of Web Users

One of the most sophisticated web server backdoors ever seen has spread fast and is now sitting on hundreds of webservers running some of the most popular websites in the world, researchers have warned.

One expert told TechWeekEurope the Cdorked backdoor, brought to light in April, is almost as smart as Stuxnet, the malware which disrupted Iranian nuclear facilities, highlighting the severity of the threat.

ESET said it had uncovered 400 webservers infected with Linux/Cdorked.A, 50 of which are amongst the top 100,000 most popular websites, according to the Alexa ranking service. The highest ranked site using an infected server was in the top 2,000.

Massive backdoor attack

The ultimate aim of the backdoor is to redirect users to websites, either to get them infected with malware using the Blackhole exploit kit, or to push them to porn sites where click fraud is in operation.

It was initially believed the backdoor affected Apache servers only, but it is now clear open source Lighttpd and nginx servers have been hit too. It is extremely rare to see malware capable of infecting numerous kinds of webserver.

Given ESET saw 100,000 users of its security products browsing infected websites due to Linux/Cdorked.A redirection, it is clear many more will have been touched by the malware, potentially millions.

ESET said it also believed Cdorked was even stealthier and more complex than it initially thought. The backdoor gives the attacker plenty of targeting ability, by using a range of blacklists and whitelists, which includes blacklists for certain languages, such as Japanese, Finnish and Russian.

It also keeps a list of IPs it has redirected with a timestamp, to avoid redirecting the same victim twice within a small period of time, which should help avoid detection. All of this remains in memory and is modified by the attacker through HTTP requests on the infected webserver. The only thing stored on the hard drive is the malicious code that replaces the “httpd” file, the daemon or service used by a webserver.

The attackers are doing all this to hide their activities, ESET believes. Righard Zwienenberg, senior research fellow at ESET, compared the malware to Stuxnet, believed to be the most sophisticated piece of malware ever created.

“When I look at it, it is almost as sophisticated as Stuxnet when it was first discovered,” Zwienenberg toldTechWeekEurope.

“The attackers are quite specific in what they block… we are still finding new things that are quite interesting that show this is really sophisticated malware.”

When asked why he thought it was close to the level of Stuxnet, he noted how the attackers’ infrastructure uses compromised DNS servers. Those who have access to DNS servers can refer anyone using those services, when they have a URL translated into an IP address, to a malicious website, regardless of whether they have visited a website running an infected server.

The compromised DNS servers also let the attackers ensure they are not sending victims to the same infected site twice – another clever way of obscuring their illicit activities.

“To be able to have Trojanised DNS servers, which are the backbone of routing on the Internet, you can control whatever people are seeing. It is scary because they could redirect you to your bank site,” Zwienenberg added.

The security firm also found specific redirections were configured for Apple iPad and iPhone users, who are being pushed to porno sites, most likely for click fraud reasons, given the locked down iOS model shouldn’t allow non-signed malware to get onto devices. That’s only if users haven’t jailbroken their devices, however.

“Many pornographic websites have automatic downloaders trying to get all kinds of dangerous content on your iPhone,” Zwienenberg said.

Visitors who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are sent on to sites serving up the Blackhole exploit kit.

Webserver admins have been advised to hunt for evidence of Cdorked, and ESET has published a tool to help locate the backdoor.

One big mystery remains: ESET has no idea how the backdoor got onto servers in the first place. The malware does not propagate by itself and it does not appear to exploit a vulnerability in webserver software.

Are you a security expert? Try the quiz!



by Janeth Kent Date: 09-05-2013 Apache backdoor Cdorked ESET Featured Malware Networking Security server webserver hits : 2782  
Janeth Kent

Janeth Kent

Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN END DEVELOPMENT.


Related Posts

Network and port scanning with Zenmap

This article goes out to all the computer nerds who are, when it comes to networking, more on the noob-side of the crowd. It does not have to be complicated…

Google Dorks: How to find interesting data and search like hacker

Go the words Google and Hacking together? Well if you thought that we will learn how to use hack Google, you might be wrong. But we can Use Google search engine…

How to block any website with a password from your browser

We are going to explain how to block any website with a password from your browser, and for this purpose we are going to use an extension called Block Site.…

Double VPN: what it is and how it works

Privacy on the web is a very important factor for users and there are more and more tools to help us maintain it. Without a doubt VPN services have had…

How to securely access the Dark Web in 15 steps. Second part

Let's continue with the 2nd part of our article in which we try to give you some advice on how to safely and securely explore the dark web. Let's restart from…

How to securely access the Dark Web in 15 steps. First part

The dark web can be a pretty dangerous place if you don't take the right precautions. You can stay relatively safe with a good antivirus and a decent VPN. However,…

How to Browse the Internet Anonymously: 6 tips

Most of the actions you take online are not as private as you might imagine. Nowadays, countless people and groups try to follow our online behaviour as closely as possible. Our…

Mobile cryptophones on the market (legals)

As we have said, it is a market often at the borders of legality, also because these devices are particularly used by criminals. Some models, however, are also available through…

What is a Cryptophone and how it works

The so-called cryptophones, are anti-interception smartphones as they use encryption methods to protect all communication systems. Here are all the details and the truth about these "unassailable" phones. The recent Encrochat affair,…

What cybersecurity professionals have learned from the lockdown experience

The COVID-19 pandemic has radically changed the rules of the game for most companies and individuals in a very short time; it has also changed the international computing universe. Sudden…

Matrix. An open network for secure and decentralized communication that you can install in your Ubuntu server

Imagine to have an open platform that is as independent, vibrant and evolving as the Web itself, but for communication. As of June 2019, Matrix is out of beta, and the protocol…

Browse safely and privately from your mobile phone using a VPN

Every day our smartphones suffer attacks, viruses, malware and information theft. In this article you will be able to deduce if you need a VPN in your mobile phone to…