For at least nine months, the Darkleech malware is believed to have injected invisible iFrames that link to malicious web pages into thousands of web sites. The malware uses an Apache web server module to add the iFrames, although no credible attack vector has been identified as the route for the malicious module installation. Darkleech is also very careful when selecting victims to have the iFrames injected into, running a blacklist of users it won’t send dangerous content to. Infected servers have been found in 48 countries, but are mostly concentrated on sites in the US, the UK and Germany.
Ars Technica’s Dan Goodin reports that networking supplier Cisco investigated Darkleech for six weeks in February and March 2013 and noted 2,000 infected servers during this period. With an assumed ten sites per server Goodin estimates that at least 20,000 web sites were infected over that period of time.
Darkleech uses an Apache module to inject invisible iFrames into web pages; the iFrames link to malicious sites where visitors can potentially have their systems compromised using the Blackhole exploit kit. The Blackhole kit uses a number of exploits and generally targets security holes in Oracle’s Java, Adobe Flash and Reader, and other popular plugins. There are, historically, plenty of these holes and many users run without up-to-date plugins. One recent study by WebSense estimated that only one in twenty browsers with Java installed has a current version.
Darkleech uses a very subtle approach to hijacking its victims; the iFrames are dynamically generated by an Apache module when an infected site is visited. Web administrators find this difficult to detect because the web site’s own source code remains untouched. Certain IP addresses won’t be injected with iFrames though, and will be blacklisted instead – visitors from security and hosting firms are ignored, as are recently attacked users, various browsers and bots, and those accessing via search from a number of search engines or sites.
Apache injection attacks by country
Source: Cisco Mary Landesman and Gregg Conklin, from Cisco Web Security, sampled 1,239 infected sites as part of their investigation and determined that the attackers have concentrated their efforts on sites running versions of Apache 2.2.22 or later and typically installed on Linux systems, but how the attackers managed to inject Darkleech remains unclear. Vulnerabilities in Plesk, Cpanel and other management software could potentially have been exploited to compromise the servers, but other potential access pathways, including cracked passwords, social engineering and other attacks, cannot be ruled out.
The attackers deploying Darkleech like to retain control of the servers they infect too. The Darkleech software appears to backdoor the system by replacing the SSH daemon with a specially crafted one. This daemon implements a backdoor which transmits the access credentials of anyone logging in to a third-party site. Given this depth of infection, it is recommended that administrators revert to a backup copy of the site after reinstalling the system, and ensure all user name and password combinations are changed.
During the period of the Cisco engineer observation, Darkleech was spread on web sites such as those of the Los Angeles Times and a blog belonging to Seagate. The malicious iFrames remained undetected for around a month. The malware was first reported on Denis Sinegubko’s blog “Unmask Parasites” on 13 August 2012.