Apache Malware Darkleech Spreads Rapidly with Increase in Attacks

Add Your Comments

An ongoing vicious malware campaign has attacked a high volume of websites running the Apache web server, compromising more than 40,000 Web addresses in the past nine months, according to a report published Tuesday by antivirus company ESET.

Perhaps more alarming is the increasing occurance of these attacks, with 15,000 of them happening in the month of May alone.¬†ESET’s data shows that the malware campaign has been going on since at least February 2011.

The rogue Apache module, known as Darkleech, underwent a slight makeover last October, revamping the format of the URL in the malicious iframe to make it more difficult to detect.

In more recent attacks, the modified version of Darkleech has been installed on compromised Apache web servers, redirecting certain visitors to malicious websites that host attack code installed by the Blackhole exploit kit.

Those website visitors who have yet to install updates that contain patches to this vulnerability are infected with a a range of deadly malware software.

ESET`s research has found that users will only be attacked when their browser reports they are using Microsoft’s Internet Explorer browser or Oracle’s Java plugin.

The Darkleech module has also been found to sometimes pass over visitors using IP addresses belonging to security and web hosting companies, users who been recently hacked, and visitors who have not accessed the hacked pages from specific search queries.

This selective process of targeting would-be victims has made it more difficult for security companies to uncover more information on Darkleech developers and effectively block their infections.

ESET recommends website administrators to take the necessary security measures to protect themselves and their visitors from malware like Darleech.

This includes regularly updating all software components, including the operating system and all application, along with using a website securite scanner to check on the HTTP daemon of the Web server to ensure it hasn’t been tampered with.

Have you or your hosting customers experienced any malware attacks relating to the Darkleech Apache module? Do you offer your customers security software to protect them from these kinds of attacks?

Add Your Comments

  • (will not be published)