Information Security News
mailing list archives
Exclusive: Ongoing malware attack targeting Apache hijacks 20, 000 sites
From: InfoSec News <alerts () infosecnews org>
Date: Wed, 3 Apr 2013 04:28:24 -0500 (CDT)
By Dan Goodin
Apr 2 2013
Tens of thousands of websites, some operated by The Los Angeles Times, Seagate,
and other reputable companies, have recently come under the spell of
"Darkleech," a mysterious exploitation toolkit that exposes visitors to potent
The ongoing attacks, estimated to have infected 20,000 websites in the past few
weeks alone, are significant because of their success in targeting Apache, by
far the Internet's most popular Web server software. Once it takes hold,
Darkleech injects invisible code into webpages, which in turn surreptitiously
opens a connection that exposes visitors to malicious third-party websites,
researchers said. Although the attacks have been active since at least August,
no one has been able to positively identify the weakness attackers are using to
commandeer the Apache-based machines. Vulnerabilities in Plesk, Cpanel, or
other software used to administer websites is one possibility, but researchers
aren't ruling out the possibility of password cracking, social engineering, or
attacks that exploit unknown bugs in frequently used applications and OSes.
Researchers also don't know precisely how many sites have been infected by
Darkleech. The server malware employs a sophisticated array of conditions to
determine when to inject malicious links into the webpages shown to end users.
Visitors using IP addresses belonging to security and hosting firms are passed
over, as are people who have recently been attacked or who don't access the
pages from specific search queries. The ability of Darkleech to inject unique
links on the fly is also hindering research into the elusive infection toolkit.
"Given that these are dynamically generated, there would be no viable means to
do a search to ferret them out on Google, etc.," Mary Landesman a senior
security researcher for Cisco Systems' TRAC team, told Ars. "Unfortunately, the
nature of the compromise coupled with the sophisticated conditional criteria
presents several challenges."
Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org
- Exclusive: Ongoing malware attack targeting Apache hijacks 20, 000 sites InfoSec News (Apr 03)