[nflug] Mass attack on Apache servers can be stopped: SecureWorks

Fri Jan 25 13:59:41 EST 2008

Security vendor SecureWorks reported this week that the mass attack 
launched against Apache web servers running on the open-source Linux 
operating system can be thwarted by disabling dynamic loading in the 
Apache configuration.

  The attack, originally thought to have impacted several hundred websites, 
actually has infected about 10,000 websites, including some in the United 
States but mostly in the United Kingdom and India, according to 
SecureWorks.

The compromised websites, mostly hobby and travel sites without security 
administrators to keep them updated, can infect their visitors with 
malicious JavaScript code that can steal a variety of personal 
information, including bank user names and passwords, Social Security and 
credit card numbers and online payment accounts, according to SecureWorks.

The malicious JavaScript takes advantage of flaws in QuickTime and a host 
of other applications and services, including SuperBuddy and Yahoo 
Messenger's GetFile, SecureWorks researchers said.

According to the Atlanta-based managed security service provider, the 
exploits install a copy of Rbot and other malware on Apache servers. These 
are typically large files in the 144 KB to 433 KB range, and are "packed" 
in a way that avoids alerts for suspicious use of packets, tools that 
compress and scramble code in executable files.

SecureWorks says that organizations can protect against this attack by 
disabling dynamic loading in their Apache module configurations. The 
manner in which the perpetrators have injected their code into Apache 
servers is "very clever," Jon Ramsey, SecureWorks chief technology 
officer, told SCMagazineUS.com.

  "[The code-injection process] changes the behavior of the Apache server 
to deliver malware content," he said.

Visitors to infected websites can avoid infection by ensuring their 
anti-virus signatures are up to date and that they have patched all 
vulnerable software. The attack does not take advantage of any unknown or 
zero-day vulnerabilities, SecureWorks added.

SecureWorks has yet to pinpoint exactly who the attackers are, Ramsey 
said.

  "The attacks do not match any typical attack patterns from any of the 
well-known Russian or Chinese groups," SecureWorks said in a prepared 
statement. "Some signs [indicate it is] Western European or even North 
American in origin."

"We have some interesting clues about where the group or person may be 
from, but no definitive information," Ramsey said.