Stealthy Malware Is Attacking Web Servers

The infection has crossed over from Apache servers to Lighttpd and Nginx boxes—and researchers have no idea how it is spreading.

Security researchers are sounding the alarm about a new piece of highly stealthy malware that is infecting Web servers. Called Linux/Cdorked, it redirects website visitors to compromised sites. Experts are still trying to figure out how the servers are being infected.

Ars Technica's Dan Goodin reported, "Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet's most popular Web servers to push potent malware exploits on visitors. Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection)."

USA Today quoted ESET researcher Cameron Camp, who explained, "This rogue piece of software silently infects the most well-known and widely-used webserver in the world, the Apache web server, but without actually touching the hard drive at all. It resides entirely in memory. This makes it hard for system administrators to even know it's there and very difficult for them to check system logs to find out how to fix it. Plus, if they reboot the server or aren't extremely careful, all the evidence disappears without a trace."

And Computerworld quoted ESET's Marc-Etienne M. Leveille, who wrote, "We still don't know for sure how this malicious software was deployed on the web servers. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software."

In separate but related news, InformationWeek's Matthew J. Schwartz noted, "The developers behind the popular open-source Web server software Nginx have released updates to patch a serious vulnerability. Nginx Tuesday announced the release of nginx-1.4.1 -- as well as 'development version' nginx-1.5.0 -- to fix a buffer-overflow vulnerability that attackers could exploit to execute arbitrary code on a Ngnix server and completely compromise it."




Tags: malware, apache web server, Nginx


0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.