EvilZone
Hacking and Security => Hacking and Security => : hacker@sr.gov.yu September 17, 2012, 11:18:03 AM
-
DarkLeech - malware mod for Apache
Next level of infecting web server gone public:
http://ondailybasis.com/blog/?p=1368
-
Good job Russians :P
System requirements:
Webserver: Apache2 server,
Operating system: Linux, BSD,
Access Level: root
Price: 1000$
Installation instructions: Place mod in any folder, edit Apache config file to add 1 string and restart server.
Major features:
- insert frames in php, html,js on the fly
- frame delivered to unique users only, no frame on repeat. << known anti-forensics. Interesting, how this implemented here, external logs or based on Apache2?
- possibility framing of traffic, that came from search engines only << looks like again Referer field?
- different modes of framing – low, standard, aggressive
- update of malicious frame from external URL
- Admins of webserver, that have ssh access to it, excluded from frame delivery. System also able to detect Admin’s IP by URL of administrative access and ban Admin IP from framing procedure.
- When root or any user in sudo group login into server, module transfer to “quiet mode”, and only when IP of the admin banned or filtered out, server proceed with infecting visitors.
- users filtered out by origin, OS version, local IP requests etc. << this is based on User-Agent, as far as I understand.
- When module detect any suspicious process in memory(tcpdump, rkhunter etc), it stop the activity
- option to encryption of framing.
As seller claim, module was used in private for 2 last years, now available for sell. Current version is 14.0
Major reason to going public – reticently researchers came close to find it out. So there is no reason to stay private.
Mode written in C and PHP
-
That's pretty smart and a good way to stay hidden. I wonder if they'll start porting it to nginx. Bit less common but people are starting to use it more.
-
Lol nice, but i this method is to easy to fix and detect:P