Security Investigators Analyze Fresh E-threat Contaminating Apache Web-servers

Researchers from ESET a security company and Sucuri a Web-security company recently examined one fresh threat that has been impacting Apache Web-servers.

Nicknamed Linux/Cdorked.A, researchers found the threat extremely sophisticated as also a treacherous backdoor that was getting utilized for diverting traffic onto malevolent Internet sites hosting BlackHole attack kits. The backdoor, infecting Apache users, reflects sophistication never seen before.

Manager Pierre-Marc Bureau of Security Intelligence Program at ESET says, the new backdoor namely Linux/Cdorked.A solely leaves an altered 'httpd' file on the infected computer's hard-disk and nothing else. The file is the service, more precisely daemon that Apache employs. Any and every info about the backdoor gets stacked inside the server's shared memory, thereby causing problems in detection while also hindering analysis, Bureau describes. Help Net Security published this dated April 29, 2013.

Furthermore, there are other ways too with which Linux/Cdorked.A's detection gets bypassed over the hijacked Apache servers as well as inside the Web-browsers running on PCs accessing them.

Righard Zwienenberg, Senior Research Fellow with ESET said that attackers thrust Linux/Cdorked.A's configuration file onto the target computer utilizing vague HTTP requests that were invisible inside Apache's log. That concealed the hijacked situation of Apache's Web-server. The malware could as well take commands via HTTP-POST, Zwienenberg explained. V3.co.uk published this dated April 29, 2013.

Additionally, according to Zwienenberg, the Linux/Cdorked.A attack thus far hijacked several hundred Apache Web-servers, suggesting potential infection of thousands of online sites.

The attack represents one especially risky one since there's a popular and wide utilization of Apache servers by numerous organizations. Consequently, if an infringement upon security occurs, then many different enterprises spread among various industrial sectors can be impacted.

Eventually researchers state that it isn't yet clear about the exact association between the new threat and Darkleech, a plug-in module of Apache that compromised no less than 20,000 websites. It may be that both Linux/Cdorked.A and Darkleech are the identical plug-in programs, separate editions of the identical program, alternatively separate programs which both make visitors vulnerable to BlackHole kits. Further, there's still no clarity about the precise way lawful websites get impacted with the disguised Apache plug-in module.

Related article: Securities Push Up A Must For Web Companies

» SPAMfighter News - 5/3/2013