Eyes Wide Open: Keeping a Watchful Eye on Apache Malware

ESET, an IT security company based in Slovakia, discovered an Apache exploit that injects malware into web pages on a web server that ultimately aims to retrieve personal information.
We’ve talked about measures you should take to avoid getting hacked, especially on WordPress, and even written a guide if your website has troubles so we won’t go into those details now. While we haven’t seen widespread issues with this malware, it’s important to understand how it works to ensure you’re not affected.

The so-called malware, Linux/Chapro.A is using multiple features that stealthily work on users’ pages to camouflage its presence. ESET analyzed this latest malware attack and found out that it tricks the unsuspecting Apache software into infecting the users’ machine and injects an iFrame on to the server then leads to the installation of Zeus variant Win32/Zbot.
Here are the four features of the Linux/Chapro.A.  Some of the may sound very technical, but the more geeky readers may appreciate some of the finer points!

  1. Uses obfuscation technique – According to ESET’s findings, this malicious Apache module is an x64 Linux binary. “It uses an XOR loop with a 12 byte long key to encode most of the strings,” said Pierre-Marc Bureau, Security Intelligence Program Manager. “The program has many capabilities to evade detection by system administrators.”
  2. Inspects all active SSH sessions Another feature of this malware is its ability to inspect entire active SSH sessions. It employs multiple stealth actions to mask its operation from website operators.
  3. Mr. Bureau said, “If a visitor browses a page using any of the same IPs involved in a SSH connection, it will not be served the malicious content. This helps hide the malicious content from system administrators, web developers and others who might be working on the web server.”
    Unsuspecting users may find this malware injected into iFrame web content by sending an HTTP POST request to its command-and-control server every 10 minutes.

  4. Sets a cookie in visiting a page the malware sets a cookie, and according to Mr. Bureau, the malicious content will not be served if the visiting browser already had that cookie set.
  5. This will be more difficult for visitors to detect how the system was infected since the cookie will ensure that the visitor will not receive the malicious content again.

  6. Maintains a list of IP addresses Finally, this malware maintains a list of the maliciously served IP addresses that were infected. Mr. Bureau said, “If a user visits an infected website twice from the same IP address, it will only receive the malicious content once.”

This process will make it more difficult to determine how it all started. The findings of ESET show that the malicious command and control were being hosted in Germany but has gone offline.  Meanwhile, the iFrame injected by the malware points to a “Sweet Orange” exploit landing page being hosted in Lithuania.