ESET, an IT security company based in Slovakia, discovered an Apache exploit that injects malware into web pages on a web server that ultimately aims to retrieve personal information.
We’ve talked about measures you should take to avoid getting hacked, especially on WordPress, and even written a guide if your website has troubles so we won’t go into those details now. While we haven’t seen widespread issues with this malware, it’s important to understand how it works to ensure you’re not affected.
The so-called malware, Linux/Chapro.A is using multiple features that stealthily work on users’ pages to camouflage its presence. ESET analyzed this latest malware attack and found out that it tricks the unsuspecting Apache software into infecting the users’ machine and injects an iFrame on to the server then leads to the installation of Zeus variant Win32/Zbot.
Here are the four features of the Linux/Chapro.A. Some of the may sound very technical, but the more geeky readers may appreciate some of the finer points!
Mr. Bureau said, “If a visitor browses a page using any of the same IPs involved in a SSH connection, it will not be served the malicious content. This helps hide the malicious content from system administrators, web developers and others who might be working on the web server.”
Unsuspecting users may find this malware injected into iFrame web content by sending an HTTP POST request to its command-and-control server every 10 minutes.
This will be more difficult for visitors to detect how the system was infected since the cookie will ensure that the visitor will not receive the malicious content again.
This process will make it more difficult to determine how it all started. The findings of ESET show that the malicious command and control were being hosted in Germany but has gone offline. Meanwhile, the iFrame injected by the malware points to a “Sweet Orange” exploit landing page being hosted in Lithuania.