[nflug] Mass attack on Apache servers can be stopped: SecureWorks

Erek Dyskant erek at blumenthals.com
Fri Jan 25 14:05:24 EST 2008 

Robert,
	I've been following this issue pretty closely.  Disabling dynamic
loading is much much easier said than done, as in most modern
distributions everything interesting in apache (php mod_perl, etc.) is
done as a dynamic module.  To stop the attack vector one would have to
recompile apache with all of those modules compiled into the server.
	Also, people have reported that there's a separate rootkit on the loose
that delivers the same payload rewriting the TCP stream to include the
exploted javascript.  The difference is that this incarnation needs root
on the server, and quite a few servers have been rooted, but it's not
clear exactly how at this time.

--Erek


On Fri, 2008-01-25 at 13:59 -0500, Robert Wolfe wrote:
> Security vendor SecureWorks reported this week that the mass attack 
> launched against Apache web servers running on the open-source Linux 
> operating system can be thwarted by disabling dynamic loading in the 
> Apache configuration.
> 
>   The attack, originally thought to have impacted several hundred websites, 
> actually has infected about 10,000 websites, including some in the United 
> States but mostly in the United Kingdom and India, according to 
> SecureWorks.
> 
> The compromised websites, mostly hobby and travel sites without security 
> administrators to keep them updated, can infect their visitors with 
> malicious JavaScript code that can steal a variety of personal 
> information, including bank user names and passwords, Social Security and 
> credit card numbers and online payment accounts, according to SecureWorks.
> 
> The malicious JavaScript takes advantage of flaws in QuickTime and a host 
> of other applications and services, including SuperBuddy and Yahoo 
> Messenger's GetFile, SecureWorks researchers said.
> 
> According to the Atlanta-based managed security service provider, the 
> exploits install a copy of Rbot and other malware on Apache servers. These 
> are typically large files in the 144 KB to 433 KB range, and are "packed" 
> in a way that avoids alerts for suspicious use of packets, tools that 
> compress and scramble code in executable files.
> 
> SecureWorks says that organizations can protect against this attack by 
> disabling dynamic loading in their Apache module configurations. The 
> manner in which the perpetrators have injected their code into Apache 
> servers is "very clever," Jon Ramsey, SecureWorks chief technology 
> officer, told SCMagazineUS.com.
> 
>   "[The code-injection process] changes the behavior of the Apache server 
> to deliver malware content," he said.
> 
> Visitors to infected websites can avoid infection by ensuring their 
> anti-virus signatures are up to date and that they have patched all 
> vulnerable software. The attack does not take advantage of any unknown or 
> zero-day vulnerabilities, SecureWorks added.
> 
> SecureWorks has yet to pinpoint exactly who the attackers are, Ramsey 
> said.
> 
>   "The attacks do not match any typical attack patterns from any of the 
> well-known Russian or Chinese groups," SecureWorks said in a prepared 
> statement. "Some signs [indicate it is] Western European or even North 
> American in origin."
> 
> "We have some interesting clues about where the group or person may be 
> from, but no definitive information," Ramsey said.
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list