When successfully deployed, the malware can open the doors to havoc. “When attackers get full root access to the server, they can do anything they want,” said Sucuri researcher Daniel Cid, in a blog post. “From modifying configurations to injecting modules and replacing binaries. However, their tactics are changing to make it even harder for admins to detect their presence and recover from the compromise.”
Analysis from ESET shows that Linux/Cdorked seems to be affecting hundreds of webservers already. “At the time of writing, the ESET Livegrid monitoring system is showing hundreds of webservers that seem to be affected by this backdoor with thousands of visitors being redirected to malicious content,” the company noted, in a blog.
One big issue is how advanced the Linux/Cdorked.A malware is: ESET, in its forensic analysis, said that it is “one of the most sophisticated Apache backdoors we have seen so far,” particularly when it comes to detection evasion tactics.
“The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis,” ESET noted. “All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.”
Researchers also don’t have enough information to pinpoint how those servers are initially being hacked, but “we are thinking through SSHD-based brute force attacks,” Cid said.
It’s also evolving. For the last few months, Sucuri has been tracking server level compromises that have been utilizing malicious Apache modules (Darkleech) to inject malware into websites. However, during the last few months, “we started to see a change on how the injections were being done,” said Cid. “On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated and we worked with our friends from ESET to provide this report on what we are seeing.”
For webmasters, checking for the presence of the shared memory is the recommended way to make sure a system is not infected. “The permissions on the shared memory allocation are loose,” explained ESET. “This allows other process to access to memory. We have made a free tool (dump_cdorked_config.py) to allow systems administrators to verify the presence of the shared memory region and dump its content into a file. We also recommend using debsums for Debian or Ubuntu systems and `rpm –verify` for RPM based systems, to verify the integrity of your Apache web server package installation.”