Backdoor targeting Apache servers spreads to nginx, Lighttpd

Last week's revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning - Eset's continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers.

And while Apache is definitely the most widely used of the three, nginx' has also cornered a considerable portion of the market (around 15 percent).

The AV company's researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites.

They also discovered that while visitors who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are the only ones who get redirected to sites hosting Blackhole, iOS users are also in danger as they get redirected to adult content sites that might be hosting malware.

"The Linux/Cdorked.A threat is even more stealthy than we first thought: By analyzing how the attackers are configuring the backdoor, we found it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges, nor if the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian," the researchers pointed out.

"We believe the operators behind this malware campaign are making significant efforts to keep their operation under the radar and to hinder monitoring efforts as much as possible. For them, not being detected seems to be a priority over infecting as many victims as possible."

Another way with which they are trying to keep a low profile is that the backdoor Cdorked uses compromised DNS servers to resolve the IP addresses of redirected sites.

The Blackhole exploit kit is currently delivering a variant of the Glupteba Trojan to the unsuspecting victims. The malware employs blackhat SEO methods to push clickjacking contextual advertising onto users.

"We still don’t know for sure how this malicious software was deployed on the web servers," the researchers admit. "We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software."

To help system administrators spot the existence of the backdoor on their webservers, Eset has released a script that detects a specific modified httpd binary on the hard drive that's a definitive sign of infection.