Super Stealthy Backdoor Spreads To Hit Hundreds Of Thousands Of Web Users

Super Stealthy Backdoor Spreads To Hit Hundreds Of Thousands Of Web Users

Backdoor Spreads To Hit Hundreds Of Thousands Of Web Users || One of the most sophisticated web server backdoors ever seen has spread fast and is now sitting on hundreds of webservers running some of the most popular websites in the world, researchers have warned.

One expert told TechWeekEurope the Cdorked backdoor, brought to light in April, is almost as smart as Stuxnet, the malware which disrupted Iranian nuclear facilities, highlighting the severity of the threat.

ESET said it had uncovered 400 webservers infected with Linux/Cdorked.A, 50 of which are amongst the top 100,000 most popular websites, according to the Alexa ranking service. The highest ranked site using an infected server was in the top 2,000.

What is a backdoor?

Imagine you are a thief covering a house for a potential robbery. There is a “Protected by …” security sign on the front lawn and ring doorbell camera. You’re a cunning cat thief, so jump over the fence leading to the back of your house. There is a backdoor and try the knobs with your fingers crossed. The lock is unlocked. Casual observers have no external signs of robbery. In fact, there’s no reason you couldn’t rob this house again from the same back door without looting the place.

Computer backdoors work in much the same way.

In the cybersecurity world, backdoors are backdoors where authorized and unauthorized users bypass the usual security measures and gain a high level of user access (root access) in a computer system, network, or software application. It refers to the method that can be done. Once compromised, cybercriminals can use backdoors to steal personal and financial data, install additional malware, and hijack devices.

But backdoors aren’t just for the bad guys. Backdoors can also be installed by software or hardware manufacturers as a deliberate means of accessing technology after the fact. A non-criminal type of backdoor can help customers who are desperately locked out of their device, or troubleshoot and resolve software issues.

Unlike other cyber threats that inform users (looking at ransomware), backdoors are known to be unobtrusive. Backdoors exist for a specific group of people who know to have easy access to the system or application.

As a threat, backdoors don’t go away anytime soon. Backdoors were the fourth most common threat detection in 2018 for both consumers and businesses, up 34% and 173% year-on-year, respectively, according to the Malwarebytes Labs Malware Status Report.

If you’re worried about backdoors, want to hear about backdoors in the news and find out what you’re doing, or if your computer has a backdoor and you need to get rid of it right away, you’re in the right place. Be prepared to read and learn everything you wanted to know about backdoors.

Massive backdoor attack

The ultimate purpose of the backdoor is to redirect the user to a website to infect the user with malware using the Blackhole Exploit Kit or to push the user to a click fraud porn site. ..

Initially, backdoors were thought to affect only Apache servers, but now it’s clear that open source Lighttpd and nginx servers are also under attack. It is very rare to see malware that can infect different types of web servers.

Given that ESET has seen 100,000 users of security products browsing infected websites for Linux / Cdorked, redirects have exposed more users to malware, potentially a number. It is clear that there will be one million people. | Backdoor Spreads

ESET also said it believes it is even more stealth and complex than Cdorked originally thought. Backdoors provide attackers with sufficient targeting capabilities by using a variety of blacklists and whitelists, including blacklists in specific languages ​​such as Japanese, Finnish, and Russian. | Backdoor Spreads

It also keeps a list of redirected IPs with a time stamp to avoid redirecting the same victim twice in a short period of time. This avoids detection. All of this remains in memory and the attacker modifies it via an HTTP request on the infected web server. All that is stored on your hard drive is malicious code that replaces the “httpd” file, which is the daemon or service used by your web server.

ESET believes attackers are doing all this to hide their activities. Righard Zwienenberg, senior researcher at ESET, compared the malware to Stuxnet, which is considered to be the most sophisticated malware ever created. | Backdoor Spreads

“When I look at it, it’s almost as sophisticated as Stuxnet when it was first discovered,” Zwienenberg told TechWeek Europe.  | Backdoor Spreads

“Attackers are very specific about what they block … I’m still finding some very interesting new things that show that this is really sophisticated malware.”

When asked why he thought it was close to Stuxnet’s level, he pointed out how the attacker’s infrastructure was using a compromised DNS server. Users who can access DNS servers are malicious to all users who use these services, regardless of whether they have visited a website running the infected server, if the URL has been translated to an IP address. You can be directed to a website.

The compromised DNS server can also prevent an attacker from sending the victim twice to the same infected site. This is another clever way to hide fraudulent activity.

“You can control everything people are looking at in order to be able to use Trojanized DNS servers that are the backbone of routing on the Internet. They redirect you to your bank’s site. It’s scary because it’s possible, “Zwienenberg added.

Security companies are also pushing Apple iPads and iPhones to porn sites probably because of click fraud, given that locked down iOS models should not allow unsigned malware to invade devices. I found that a specific redirect was configured for the user. However, this is only if the user has not jailbroken the device.

“Many porn websites have automatic downloaders that try to get all sorts of dangerous content on the iPhone,” Zwienenberg said.

Visitors using Internet Explorer or Firefox on Microsoft Windows XP, Vista, or 7 will be sent to a site that offers the Blackhole Exploit Kit.

Webserver admins have been advised to hunt for evidence of Cdorked, and ESET has published a tool to help locate the backdoor.

One big mystery remains: ESET has no idea how the backdoor got onto servers in the first place. The malware does not propagate by itself and it does not appear to exploit a vulnerability in webserver software.