Darkleech: Apache Malware
It's every webmaster's worst nightmare: malware. But this just isn't any malware: it is highly vicious, and has attacked an enormous number of websites that run the Apache web server. In all, over 40,000 domains have been compromised in the past nine months, according to a report put out by ESET, an antivirus company.
The most worrisome part of all of this: the frequency of these attacks is on the rise. In May alone, 15,000 attacks occurred. The data shared by ESET pinpoints the beginning of the malware campaign to be no earlier than February of 2011.
It isn't restricted to the US, either. There is increasing activity in Europe, Canada, and the US, and Symantec predicted at the end of 2012 it would spread to Australia soon. Symantec actually released a white paper about ransomware, a form of malware, entitled “Ransomware: A Growing Menace.”
This Apache module is known as Darkleech, and was installed on those Apache web servers that were compromised. Darkleech loads an iframe into a web page, redirects the user to a malicious URL hosting the Blackhole exploit kit, which then attempts to take advantage of vulnerable, unpatched browsers, Java, or Adobe Reader plugins and install the malware.
If you're a visitor who hasn't installed patches to this vulnerability in the form of updates, you'll find yourself infected with a host of dangerous malware software. ESET reports that users are only attacked when they use Internet Explorer or Oracle's Java plugin.
An aspect of this malware campaign: users computers are locked, with a fee of $300 demanded in order to free their data. It's called a ransomware scam, and ESET figures the hackers have figured out how to effectively compromise CPanel and Plesk. The malware program is called Nymaim, and is customized according to the user's location. Some users are directed to a bogus warning that claims you are under investigation by the FBI.
Darkleech will sometimes pass by users accessing the Internet from IP addresses belonging to web hosting or security companies, users who have been hacked recently, and those visitors who did not access the hacked pages with specific search queries.
A Harder Battle To Fight
Because this module is selective with who it infects, it is a whole lot harder for security companies to learn more about Darkleech developers in efforts to block these infections from happening in the future.
What can you do? ESET advises webmasters to protect themselves and their users from this deadly malware by taking all necessary security measures such as keeping software and the operating system up to date, and relying on a security scanning program to verify the HTTP daemon of the server to make sure it has not been altered.
One thing is for certain: it isn't going to get better anytime soon. According to Sebastien Duquette, ESET malware researcher, “Malicious modification of server binaries seems to be a very popular trend for malware distribution.” Darkleech compromises the infrastructure of a web hosting company, spelling bad news for all web pages hosted there.
“Given how successful these campaigns have been so far at redirecting massive amounts of visitors it is hardly surprising to see these abuses on the increase,” said Duquette. Only time will tell if these hackers can be stopped.