Thousands Threatened By Super Stealthy Apache Backdoor

The “most sophisticated” backdoor ever has been found on hundreds of Apache webservers, avoiding detection with some advanced techniques, and potentially infecting thousands of web users with malware, security researchers have warned.

The eventual aim of the Apache backdoor, known as Linux/Cdorked.A, is to allow attackers to alter websites, so they redirect users to sites serving up the Blackhole exploit kit.

Backdoor stealth

But it is the myriad ways Linux/Cdorked.A hides itself from detection software that has impressed security professionals.

Researchers from ESET and Sucuri found the backdoor replaces the “httpd” file, the daemon or service used by Apache, with malicious code. No other traces are left on the hard drive of compromised hosts.

Linux/Cdorked does not write any files on the disk, instead allocating around six megabytes of shared memory for its state and configuration information.

“All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis,” said Pierre-Marc Bureau, ESET security intelligence programme manager.

“The backdoor’s configuration is sent by the attacker using HTTP requests that are not only obfuscated, but also not logged by Apache, reducing the likelihood of detection by conventional monitoring tools,” added  Righard Zwienenberg, senior researcher fellow at ESET.

“The configuration is stored in memory, meaning no command and control information for the backdoor is visible, making forensic analysis complex.”

As a result, the appearance of the infected site does not change, but the attackers can set requests to redirect users to infected sites.

After redirects take place, a cookie is installed in the user’s browser, checking if the URL or server name contains strings that could hint the user is an administrator. This is most likely done to ensure admins are not alerted to malicious activity, ESET said.

It appears the threat affects only those Apache servers run by the cPanel hosting control panel.

For information on how to locate and remove the backdoor, head to the ESET website.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Consumer Group Says Major Australian Retailers Using Facial Recognition

Consumer group Choice files with privacy regulator to stop three major Australian retailers from collecting…

22 mins ago

Google Jobs Service Hit By Fresh Antitrust Complaint In Denmark

Danish competitor files fresh antitrust complaint against Google for Jobs, saying its search traffic fell…

1 hour ago

Toshiba Board Set For Vote That Would Back Buyout Strategy

Toshiba board expected to approve appointment of two external directors from hedge fund investors, making…

2 hours ago

Nio ‘Investigating’ Deaths Of Two After EV Plunges From Building

Shanghai electric vehicle maker Nio says it is investigating deaths of two people after one…

3 hours ago

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

3 days ago