Thousands Threatened By Super Stealthy Apache Backdoor

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Hundreds of servers affected, leaving thousands open to infection, ESET warns

The “most sophisticated” backdoor ever has been found on hundreds of Apache webservers, avoiding detection with some advanced techniques, and potentially infecting thousands of web users with malware, security researchers have warned.

The eventual aim of the Apache backdoor, known as Linux/Cdorked.A, is to allow attackers to alter websites, so they redirect users to sites serving up the Blackhole exploit kit.

Malware - Fotolia: skull button © alekup #34457353Backdoor stealth

But it is the myriad ways Linux/Cdorked.A hides itself from detection software that has impressed security professionals.

Researchers from ESET and Sucuri found the backdoor replaces the “httpd” file, the daemon or service used by Apache, with malicious code. No other traces are left on the hard drive of compromised hosts.

Linux/Cdorked does not write any files on the disk, instead allocating around six megabytes of shared memory for its state and configuration information.

“All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis,” said Pierre-Marc Bureau, ESET security intelligence programme manager.

“The backdoor’s configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools,” added  Righard Zwienenberg, senior researcher fellow at ESET.

“The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex.”

As a result, the appearance of the infected site does not change, but the attackers can set requests to redirect users to infected sites.

After redirects take place, a cookie is installed in the user’s browser, checking if the URL or server name contains strings that could hint the user is an administrator. This is most likely done to ensure admins are not alerted to malicious activity, ESET said.

It appears the threat affects only those Apache servers run by the cPanel hosting control panel.

For information on how to locate and remove the backdoor, head to the ESET website.

Are you a security expert? Try our quiz!