Rogue Apache modules pushing iFrame injections which drive traffic to Blackhole exploit kit

Filed Under: Linux, Malware, SophosLabs, Vulnerability

Black holesThe Blackhole exploit kit has received a lot of attention recently, and we have published several technical papers on it.

The attention is warranted - the kit remains one of the most prevalent being used by criminals to infect users with malware.

In this article I am going to take a look at some of the recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites.

JavaScript libraries on the legitimate websites are prepended with code like this:

Malicious redirect injected into JavaScript

Similarly, webpages are injected with an inline script:

Malicious redirect injected into web pages

Sophos products block both types of infection as Mal/Iframe-AL.

SophosLabs has seen huge volumes of legitimate sites being compromised in this way in recent weeks. In fact, Mal/Iframe-AL has been the most prevalent web threat detected on customer endpoints and web appliances for the past few weeks, accounting for almost 30% of all detected web threats!

If we correlate our malicious URL data against the Alexa top million site data, you can see that these Mal/Iframe-AL injections account for almost two-thirds of all popular sites that we have seen compromised in some way over the past week.

Breakdown of threats responsible for compromised popular web sites

Clearly these attacks are widespread then.

I wanted to dig a bit further into these attacks, in order to understand a bit more about how the sites are getting hacked.

Looking at data collected over the past 14 days (Feb 18th - March 4th 2013), I started off by looking at the host ISPs for the compromised web sites.

As you can see below, a good spread of ISPs have been hit (368 in total), with 18 of them accounting for approximately half of all infected sites.

Distribution of compromised sites against ISPs (anonymized)

(I have anonymized the ISP data intentionally - I will be following up with as many of these as possible in order to try and get the servers cleaned up.)

Looking at the countries hosting the affected web servers shows the expected spread, somewhat reflective of where hosting providers are based.

Distribution of host countries for compromised web servers

If we take a look at the web server platform, the compromised sites are almost exclusively running Apache. This is in contrast to the 60% or so we would expect if the attacks were agnostic to the platform.

Web server platform breakdown for compromised sites

Most of these servers are running CentOS (then Debian then Ubuntu).

This last piece of data gives us some clues as to how these attacks are happening.

Could it be a rogue Apache module being used to inject the redirect into content as it is delivered from the server? There have been several other recent attacks doing this.

Digging around it appears that this is indeed the root cause. The folks over at Sucuri managed to get hold of the rogue module that was used on one such victim server.

Administrators or owners of sites that have been affected by these attacks should therefore check their Apache configuration as a matter of urgency and look out for unexpected modules being loaded. Please feel free to send suspect modules to Sophos by following the regular sample submission guidelines.

Update March 20th, 2013:
As noted above, we have been working with various affected ISPs in order to get servers cleaned up. Several malicious Apache modules have surfaced, and these are confirmed to be within the Apmod family, also known as 'Darkleech'. Samples obtained thus far have been detected as Troj/Apmod-D).

An analysis of Apmod/Darkleech can be found here (Japanese).

, , , , , , ,

You might like

7 Responses to Rogue Apache modules pushing iFrame injections which drive traffic to Blackhole exploit kit

  1. Cliff Jones · 562 days ago

    Will rogue modules have a consistent name, or will it change with each instance? Can you name a module that's know to have been compromised?

  2. Lee · 562 days ago

    If I wanted to block this using our Barracuda web filter, is there a way to do so? You have the IP blocked out and I doubt SEP detects this yet and the product as a whole is mostly useless IMO. I am looking for a while to block this at our Web Filter if possible.

    • Fraser Howard · 562 days ago

      There are many IPs being used so blocking specific ones will be pretty ineffective. I am not familiar with your web filter so do not know what capabilities it offers, but feel free to drop me an email and I will follow up with you (firstname.lastname at sophos dot com).

  3. William Morris · 562 days ago

    How did these rogue modules become loaded in the first place? Is it known?

    • Fraser Howard · 562 days ago

      No, at this point we do not know how the servers are getting hacked. We are in the process of following up with some of the ISPs, so hopefully will get more insight then.

  4. What is the likelihood of the Apache source repos or build mirrors being infected?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.