Sneaky Linux/Cdorked.A
Backdoors are great, when you're talking about the doors on a house. It's a great place to sneak out without being noticed, as many a teenager will attest to.
A backdoor in the tech world, however, is not a good thing at all. A backdoor is basically a well-hidden way for someone to be given unauthorized remote access to a computer system.
Watch out, those with Linux hosting, or even Windows hosting. Linux/Cdorked.A is here, and it's a backdoor causing huge problem for your web servers.
What Is Linux/Cdorked.A?
This is a highly advanced and hard to detect Apache backdoor, pushing traffic from their intended website to a malicious website featuring Blackhole exploit kits. But wait, what does that mean?
The web page they are redirected to contains obscure JavaScript that figures out what is on the visitor's computer and loads any and all exploits to which that specific computer is vulnerable. Occasionally, a Java applet tag is loaded which loads a Java Trojan horse.
Security experts with Eset, a leader in the antivirus industry, now say that this backdoor also infects sites relying on nginx and Lighttpd servers.
Sneaky Linux/Cdorked.A: How Many Are Affected?
Although Apache servers may be very well-known, 15 percent of the web server market relies on Nginx. Eset discovered 400 web servers to be infected with the Linux/Cdorked.A backdoor, 50 of which are among the most visited websites.
Who's At Risk?
If you are running either Internet Explorer or Firefox in Windows XP, Vista, or 7, you're the only ones in danger of being redirected to those sites hosting Blackhole. However, Apple iOS users should be careful: they are redirected to adult hosting sites that could also be hosting malware.
An Eset spokesperson said that the Linux/Cdorked.A threat appears to be more covert than they originally anticipated. The backdoor will not transfer malicious content if the IP address of the victim is contained in a list miles long of blacklisted IPs. If the browser you're using is set to either Finish, Russian, Japanese, Ukrainian, Kazakh, or Belarusian languages, the malware does not run at all.
Super Stealthy
Why would this be? It keeps the work of the malware well hidden from those who might be monitoring the malicious activity, as well as away from the eyes of authorities. It appears the operator behind the malware would rather make it virtually impossible to be caught rather than infect as many victims as they can.
The backdoor relies on compromised DNS servers to execute IP addresses of redirected sites, another reason it is so hard to detect.
Currently, the Blackhole exploit kit is giving the computers of its victims the unwanted gift of a form of the Glupteba Trojan, bringing unwanted clickjacking contextual advertising to the user.
Still A Mystery
Have researchers learned all there is to know about the Linux/Cdorked.A backdoor? Unfortunately not. They have no clue how this malicious software end up being installed on web servers in the first place. It doesn't multiply on its own, and doesn't attack vulnerabilities in any software in particular.
With what they do know about Linux/Cdorked.A, Eset released a script that finds a certain modified httpd binary contained on the hard drive. This code is a sign that your system is most definitely infected. This was released in an effort to assist system administrators in finding this stealthy backdoor on their servers, whether Linux shared hosting or virtual private server.
Protect Yourself
Eset recommends system administrators rely on their standard packaging systems to validate the integrity of their web servers, and offers a tool that will dump the Linux/Cdorked.A configuration if it is discovered.
If you are an Internet user, Eset offers some tips to protect your computer: keep your OS, browser, browser extensions, and third party software such as PDF readers, Flash players, and Java as up to date as possible. Also, use your antivirus software frequently.
Have your servers fallen victim to Linux/Cdorked.A? Do you keep your software fully up-to-date and perform religious antivirus scans?
