Webserver Backdoor More Prevalant, Targeting iDevices

That super-stealthy Apache backdoor isn’t just limited to Apache… it’s been found in lighttpd and nginx webservers too, and one security firm found the thing on more than 400 websites (including 50 in the Alexa top 100k).

It also turns out that the backdoor is trying not to be found even harder than previously thought… and that it’s occasionally configured to specifically target people running iOS devices.

What’s the significance of that? Well, they’re probably not looking to exploit the MAC address flaw mentioned recently. If they’re targeting iOS clients, they probably have a driveby exploit for iOS — which in turn suggests a /very/ high level attacker.* That would be consistent with the extreme length the backdoor goes to in order to hide itself, too. As one analyst put it, whoever wrote this cared more about not getting caught than they did about getting a big botnet.

Defense: Uh, keep an eye on your webserver binaries if you run a web server.


We have observed more than 400 webservers infected with Linux/Cdorked.A. Out of these, 50 are ranked in Alexa’s top 100,000 most popular websites.
The backdoor has been applied to other webserver daemons. Thanks to the information provided by affected system administrators, we were able to analyze trojanized Lighttpd and nginx binaries in addition to the already documented Apache binaries.
According to our global telemetry data, this operation has been active since at least December 2012.
The Linux/Cdorked.A threat is even more stealthy than we first thought: By analysing how the attackers are configuring the backdoor, we found it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges, nor if the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian.
Our telemetry data shows that almost 100,000 users of ESET security products have browsed infected websites due to Linux/Cdorked.A redirection, although the attack was blocked by those products.
In some of the configurations we were able to analyze, specific redirections were configured for Apple iPad and iPhone users.”

%d bloggers like this: