The attack that employed compromised Apache Web server binaries is turning out to be more complex than originally thought, as researchers now have found that the attackers also are using Trojaned Nginx and Lighttpd binaries as part of the campaign. More concerning, though, is the possibility that the attacks also have compromised a number of DNS servers and are using them to change crucial elements of the campaign on the fly and help hide their tracks.
The new details of the attack campaign, which researchers have dubbed Linux/Cdorked, show that the attackers have cast a wider net than what was found originally and have access to a wider range of compromised machines. Researchers at ESET who have analyzed the attack say that the group behind the attacks may have been active since December 2012. The researchers have discovered more than 400 Web servers compromised by this malware, and that some of them are among the most highly trafficked sites on the Web.
Still, with the new details and further investigation into the attack, researchers still aren’t sure how the attackers are getting their malware onto the compromised Web servers.
“We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software. Linux/Cdorked.A is a backdoor, used by malicious actor to serve malicious content from legitimate websites,” Marc-Etienne M. Leveille of ESET wrote in an analysis of the attacks.
The general pattern of the attacks involves the attackers modifying Web server binaries on target sites, then using the malicious binary to serve code to certain users that redirects them to a malicious site. The user may then be redirected to a third site, but the end goal is to push the victim to a site that serves the Blackhole exploit kit. On mobile devices, such as iPhones and iPads, users are redirected to porn sites.
The attackers in this campaign are being quite careful to hide their actions, both on the client level and in a larger sense. In addition to keeping a large blacklist of IP ranges that the malware will not redirect to malicious Web sites, the attackers also appear to be using compromised DNS servers to change domains and subdomains quickly. The construction of the URLs for these domains that are part of the redirection chain for the Cdorked malware have a peculiar format, and after looking into them, the ESET researchers came to the conclusion that the DNS servers being used have been compromised.
“The peculiar format of the subdomains and the fact that they are constantly changing strongly suggested that the DNS servers were also compromised. We did some tests where we modified the characters of the subdomain and in some cases the IP address in the response changed. With some more testing we were able to confirm that the IP address returned by the DNS request is actually encoded in the subdomain itself. It is using the characters at odd positions to form a 4 bytes long hex string to decode the IP address from. A basic chained XOR cipher is used to encode the IP address,” M.Lavielle said. “Due to the algorithmic nature of this behavior, we see no other explanation than the presence of trojanized DNS server binaries on the nameservers involved in Linux/CDorked.A.”
Web security researchers say that the tactics the attackers are using are not the most efficient ones and that they are causing themselves some unnecessary trouble.
“This has all the disadvantages of a typical root compromise, meaning that the attacker must now find a way to escalate privileges to root. The main advantage to using this sort of backdoor is that web masters typically don’t monitor or back up anything outside of the web root and in many cases don’t even have access to do so in shared hosting environments. This means the attacker naturally gets persistence where a typical modification to source code or .htaccess files would be fixed relatively quickly,” said Robert Hansen, a noted security researcher and director of product management at White Hat Security.