Rogue Apache modules pushing iFrame injections which drive traffic to Blackhole exploit kit

Black holesThe Blackhole exploit kit has received a lot of attention recently, and we have published several technical papers on it.

The attention is warranted – the kit remains one of the most prevalent being used by criminals to infect users with malware.

In this article I am going to take a look at some of the recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites.

JavaScript libraries on the legitimate websites are prepended with code like this:

Malicious redirect injected into JavaScript

Similarly, webpages are injected with an inline script:

Malicious redirect injected into web pages

Sophos products block both types of infection as Mal/Iframe-AL.

SophosLabs has seen huge volumes of legitimate sites being compromised in this way in recent weeks. In fact, Mal/Iframe-AL has been the most prevalent web threat detected on customer endpoints and web appliances for the past few weeks, accounting for almost 30% of all detected web threats!

If we correlate our malicious URL data against the Alexa top million site data, you can see that these Mal/Iframe-AL injections account for almost two-thirds of all popular sites that we have seen compromised in some way over the past week.

Breakdown of threats responsible for compromised popular web sites

Clearly these attacks are widespread then.

I wanted to dig a bit further into these attacks, in order to understand a bit more about how the sites are getting hacked.

Looking at data collected over the past 14 days (Feb 18th – March 4th 2013), I started off by looking at the host ISPs for the compromised web sites.

As you can see below, a good spread of ISPs have been hit (368 in total), with 18 of them accounting for approximately half of all infected sites.

Distribution of compromised sites against ISPs (anonymized)

(I have anonymized the ISP data intentionally – I will be following up with as many of these as possible in order to try and get the servers cleaned up.)

Looking at the countries hosting the affected web servers shows the expected spread, somewhat reflective of where hosting providers are based.

Distribution of host countries for compromised web servers

If we take a look at the web server platform, the compromised sites are almost exclusively running Apache. This is in contrast to the 60% or so we would expect if the attacks were agnostic to the platform.

Web server platform breakdown for compromised sites

Most of these servers are running CentOS (then Debian then Ubuntu).

This last piece of data gives us some clues as to how these attacks are happening.

Could it be a rogue Apache module being used to inject the redirect into content as it is delivered from the server? There have been several other recent attacks doing this.

Digging around it appears that this is indeed the root cause. The folks over at Sucuri managed to get hold of the rogue module that was used on one such victim server.

Administrators or owners of sites that have been affected by these attacks should therefore check their Apache configuration as a matter of urgency and look out for unexpected modules being loaded. Please feel free to send suspect modules to Sophos by following the regular sample submission guidelines.

Update March 20th, 2013:
As noted above, we have been working with various affected ISPs in order to get servers cleaned up. Several malicious Apache modules have surfaced, and these are confirmed to be within the Apmod family, also known as ‘Darkleech’. Samples obtained thus far have been detected as Troj/Apmod-D).

An analysis of Apmod/Darkleech can be found here (Japanese).