Hacked Web sites serve malware

Tens of thousands of Web sites may be serving malware to visitors, following what appears to be a coordinated series of attacks.

Visitors to sites hosted on infected servers are served malicious scripts via code injected into normally innocent pages, which delivers drive-by malware to infect Web browsers.

An malware-attack-targeting-apache-hijacks-20000-sites/" target="_blank">investigation by Dan Goodin, at Ars Technica, suggests that more than 20 000 sites may have been compromised in recent weeks.

"[Targeted] Web servers are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious Apache modules," wrote Mary Landesman, a security researcher at Cisco, in a apache-darkleech-compromises/" target="_blank">blog post. "These modules are then used to turn hosted sites into attack sites, dynamically injecting iframes in real-time."

Servers running the Apache Web server on Linux are targeted, with root access being gained through vulnerabilities in Web-based control panels, says security researcher Hendrik Adrian.

"I supervised hundreds of servers infected by this malware module and found that the penetration was made via Parallel's Plesk Panel," Adrian apache-darkleech-compromises/#comment-713561" target="_blank">wrote. Web applications such as message boards and control panels are popular targets for attackers, since they are often not updated. Attackers use vulnerabilities to gain admin rights and initiate further attacks.

In this instance, Goodin reports, it appears that attackers escalated privileges via Web applications, then installed SSHD backdoors and modified the Apache Webserver configuration to load DarkLeech, a malicious module, which injects attack code into pages delivered by the server. Web server modules are commonly used to extend the functionality of servers, especially on servers hosting multiple sites.

DarkLeech is known to security researchers: it is offered for sale by a Russian malware author and has been used in previous attacks. Adrian posted malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html" target="_blank">detailed analysis of the module on the Malware Must Die blog, showing techniques the module uses to escape detection and target payload delivery.

Detecting the module is not always easy, especially for sites using a shared host and lacking full admin rights to the underlying server. DarkLeech modifies the name of its module and adjusts its behaviour to avoid detection, but even once removed, if the underlying vulnerability is not addressed, reinfection can follow almost immediately.

"Web site owners will not be able to detect or clean the compromise as it is not actually on their Web site, and most will not have root-level access to the Webserver," Landesman noted. "Even if the hosting provider is responsive, the malicious Apache modules and associated SSHD backdoor may be difficult to ferret out."

Story by Jon Tullett