Super Stealthy Backdoor Spreads To Hit Hundreds Of Thousands Of Web Users

Security © m00osfoto Shutterstock 2012

Cdorked almost matches Stuxnet for sophistication, researcher tells TechWeek

One of the most sophisticated web server backdoors ever seen has spread fast and is now sitting on hundreds of webservers running some of the most popular websites in the world, researchers have warned.

One expert told TechWeekEurope the Cdorked backdoor, brought to light in April, is almost as smart as Stuxnet, the malware which disrupted Iranian nuclear facilities, highlighting the severity of the threat.

ESET said it had uncovered 400 webservers infected with Linux/Cdorked.A, 50 of which are amongst the top 100,000 most popular websites, according to the Alexa ranking service. The highest ranked site using an infected server was in the top 2,000.

Backdoor - Shutterstock - © kentohMassive backdoor attack

The ultimate aim of the backdoor is to redirect users to websites, either to get them infected with malware using the Blackhole exploit kit, or to push them to porn sites where click fraud is in operation.

It was initially believed the backdoor affected Apache servers only, but it is now clear open source Lighttpd and nginx servers have been hit too. It is extremely rare to see malware capable of infecting numerous kinds of webserver.

Given ESET saw 100,000 users of its security products browsing infected websites due to Linux/Cdorked.A redirection, it is clear many more will have been touched by the malware, potentially millions.

ESET said it also believed Cdorked was even stealthier and more complex than it initially thought. The backdoor gives the attacker plenty of targeting ability, by using a range of blacklists and whitelists, which includes blacklists for certain languages, such as Japanese, Finnish and Russian.

It also keeps a list of IPs it has redirected with a timestamp, to avoid redirecting the same victim twice within a small period of time, which should help avoid detection. All of this remains in memory and is modified by the attacker through HTTP requests on the infected webserver. The only thing stored on the hard drive is the malicious code that replaces the “httpd” file, the daemon or service used by a webserver.

The attackers are doing all this to hide their activities, ESET believes. Righard Zwienenberg, senior research fellow at ESET, compared the malware to Stuxnet, believed to be the most sophisticated piece of malware ever created.

“When I look at it, it is almost as sophisticated as Stuxnet when it was first discovered,” Zwienenberg told TechWeekEurope.

“The attackers are quite specific in what they block… we are still finding new things that are quite interesting that show this is really sophisticated malware.”

When asked why he thought it was close to the level of Stuxnet, he noted how the attackers’ infrastructure uses compromised DNS servers. Those who have access to DNS servers can refer anyone using those services, when they have a URL translated into an IP address, to a malicious website, regardless of whether they have visited a website running an infected server.

The compromised DNS servers also let the attackers ensure they are not sending victims to the same infected site twice – another clever way of obscuring their illicit activities.

“To be able to have Trojanised DNS servers, which are the backbone of routing on the Internet, you can control whatever people are seeing. It is scary because they could redirect you to your bank site,” Zwienenberg added.

The security firm also found specific redirections were configured for Apple iPad and iPhone users, who are being pushed to porno sites, most likely for click fraud reasons, given the locked down iOS model shouldn’t allow non-signed malware to get onto devices. That’s only if users haven’t jailbroken their devices, however.

“Many pornographic websites have automatic downloaders trying to get all kinds of dangerous content on your iPhone,” Zwienenberg said.

Visitors who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are sent on to sites serving up the Blackhole exploit kit.

Webserver admins have been advised to hunt for evidence of Cdorked, and ESET has published a tool to help locate the backdoor.

One big mystery remains: ESET has no idea how the backdoor got onto servers in the first place. The malware does not propagate by itself and it does not appear to exploit a vulnerability in webserver software.

Are you a security expert? Try our quiz!