Attack Using Backdoored Apache Binaries to Lead to Blackhole Kit

There is a newly identified ongoing attack campaign in which attackers are using compromised Apache HTTP binaries to redirect users to malicious sites serving various flavors of malware, including the Blackhole exploit kit. Rather than going the traditional route of simply injecting malicious code onto target Web sites, this attack crew is replacing the existing Apache binary with a compromised one that contains what security researchers say is a highly sophisticated backdoor.

The backdoor, which researchers are calling Linux/Cdorked, has a number of interesting attributes, but perhaps the most unusual bit is the fact that the backdoor doesn’t write any files to disk and instead uses shared memory as a means of maintaining its presence on the machine. The lack of information left on infected machines makes life difficult for researchers trying to analyze the attack, but what experts have come up with so far shows that there could be as many as several hundred infected servers at this point.

“The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system,” Pierre-Marc Bureau of ESET, which has done analysis of the attack, said in a blog post.

“The HTTP server is equipped with a reverse connect backdoor that can be triggered via a special HTTP GET request. It is invoked when a request to a special path is performed with a query string in a particular format, containing the hostname and port to connect. The client IP of the HTTP dialog is used as a key to decrypt the query string as a 4 byte XOR key.”

The Linux/Cdorked backdoor is interesting on several levels aside from its ability to leave little to no trace on compromised machines. One other odd aspect is the attackers’ decision to completely replace the Apache HTTP binary as part of the attack. This is a more complicated and risky attack scenario than what’s normally seen in code-injection/redirection attacks. Typically, attackers looking to push large numbers of victims to a site they control–such as a porn or gambling site or a malware depot–will look for sites vulnerable to a particular exploit, load their code onto those sites and then have it redirect victims to the target site. A halfway enterprising attacker would have no trouble finding dozens or hundreds of sites on which to bury his malicious redirect code.

But the attackers in this case took the more difficult route, opting to compromise the Web server itself and then fully replace the Apache binary. How they’re compromising the servers to begin with is also still a question. Researchers at Sucuri, who also analyzed the attacks, speculated that the attackers maybe using brute-force attempts on SSH servers as an initial entry point. Once the attackers have the malicious binary on a target server, they appear to be using them selectively. The malicious redirects are only served to each IP address once a day, and the sites from which the binary loads the malicious code appear to be random URLs.

“Once the malware is loaded it will redirect the site to spammy sites (most often porn pages). At the sites we analyzed, they were being pushed to httx://amazingtubesites.org (seems offline now). On some cases we also saw the redirection going to the Blackhole Exploit kit,” Daniel Cid, CTO of Sucuri, wrote.

The backdoor has a list of almost two dozen commands that the attacker can use, and these are sent to the compromised server via an HTTP POST request, ESET’s Bureau said.

” The request must also contain a cookie header starting with “SECID=”. The query string value must hold 2 hex encoded bytes that are encrypted with the client IP, using the same technique as the shell. The SECID cookie data will be used as arguments to some of the commands. We believe that the URLs to redirect clients are sent to the backdoor using this method. The redirection information will be stored encrypted in the allocated shared memory region. We also believe that the conditions for redirection are set this way, for example, a white list of user agents to redirect can be preconfigured and a black list of IPs to avoid redirection,” he wrote.

 

Suggested articles