Linux Malware Campaign uses Hacked DNS Server

June 19th, 2013 by admin Leave a reply »

The attack that employed compromised Apache Web server binaries is turning out to be more complex than originally thought, as researchers now have found that the attackers also are using Trojaned Nginx and Lighted binaries as part of the campaign. More concerning, though, is the possibility that the attacks also have compromised a number of DNS servers and are using them to change crucial elements of the campaign on the fly and helps hide their tracks.

The new details of the attack campaign, which researchers have dubbed Linux/Cdorked, show that the attackers have cast a wider net than what was found originally and have access to a wider range of compromised machines. Researchers at ESET who have analyzed the attack say that the group behind the attacks may have been active since December 2012. The researchers have discovered more than 400 Web servers compromised by this malware, and that some of them are among the most highly trafficked sites on the Web.

Still, with the new details and further investigation into the attack, researchers still aren’t sure how the attackers are getting their malware onto the compromised Web servers.

“We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit vulnerability in specific software. Linux/Cdorked.A is a backdoor, used by malicious actor to serve malicious content from legitimate websites,” Marc-Etienne M. Leveille of ESET wrote in an analysis of the attacks.

The general pattern of the attacks involves the attackers modifying Web server binaries on target sites, and then using the malicious binary to serve code to certain users that redirect them to a malicious site. The user may then be redirected to a third site, but the end goal is to push the victim to a site that serves the Black hole exploit kit. On mobile devices, such as iPhones and iPads, users are redirected to porn sites.

The attackers in this campaign are being quite careful to hide their actions, both on the client level and in a larger sense. In addition to keeping a large blacklist of IP ranges that the malware will not redirect to malicious Web sites, the attackers also appear to be using compromised DNS servers to change domains and subdomains quickly. The construction of the URLs for these domains that are part of the redirection chain for the Cdorked malware have a peculiar format, and after looking into them, the ESET researchers came to the conclusion that the DNS servers being used have been compromised.

“The peculiar format of the subdomains and the fact that they are constantly changing strongly suggested that the DNS servers were also compromised. We did some tests where we modified the characters of the subdomain and in some cases the IP address in the response changed. With some more testing we were able to confirm that the IP address returned by the DNS request is actually encoded in the subdomain itself. It is using the characters at odd positions to form a 4 bytes long hex string to decode the IP address from. A basic chained XOR cipher is used to encode the IP address,” M.Lavielle said. “Due to the algorithmic nature of this behavior, we see no other explanation than the presence of trojanized DNS server binaries on the nameservers involved in Linux/CDorked.A.”

Cyber security researchers say that the tactics the attackers are using are not the most efficient ones and that they are causing themselves some unnecessary trouble.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Leave a Reply