It is starting to look like the existence of Linux/Cdorked.A could be a serious problem for the owners of web servers.
Linux/Cdorked.A is an advanced and stealthy Apache backdoor which can drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs.
Now security experts at Eset have found that the backdoor also infects sites running the nginx and Lighttpd web servers.
While Apache is the bigger of the names, nginx has 15 percent of the webserver market and Eset has found 400 webservers infected with the backdoor, and 50 of them are among the world’s most popular and visited websites.
Those who use Internet Explorer or Firefox on MicrosoftWindows XP, Vista or 7 are the only ones who get redirected to sites hosting Blackhole, but AppleiOS users are also in danger as they get redirected to adult content sites that might be hosting malware.
A spokesperson from Eset said that it looks like the Linux/Cdorked.A threat is more stealthy than first thought. For example it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges. If the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian, then the malware will not run.
The aim of this is to keep the work of the malware beneath the radar of the authorities and hinder monitoring efforts.
Cdorked uses compromised DNS servers to resolve the IP addresses of redirected sites which also makes the source of the malware hard to find.
At the moment the Blackhole exploit kit is currently delivering a variant of the Glupteba Trojan to the unsuspecting victims. This pushes clickjacking contextual advertising onto users.
But there is a lot about the backdoor that the researchers have not worked out yet. It is not clear how the malicious software was installed on the web servers. The malware does not propagate by itself and it does not exploit vulnerabilities in specific software.
To help system administrators spot the existence of the backdoor on their web servers, Eset has released a script that detects a specific modified httpd binary on the hard drive that’s a definitive sign of infection.