Apache Malware Installs Zeus

Thursday, December 20, 2012 @ 01:12 PM gHale

The world’s most widely used web server, Apache, is a conduit to inject malicious content into web pages served by an infected Linux server, without the knowledge of the website owner.

Those are the results of an analysis of a malicious Apache module, detected by ESET. They called the malware Linux/Chapro.A.

Exploit Kit Guarantee
IE Exploit Eyes Mouse Cursor
Chrome Wards Off BlackHole
BlackHole Exploit Kit Details

Although the malware can serve practically any type of content, in this specific case it installs a variant of Win32/Zbot, malware designed to steal information from online banking customers. While this particular version of Win32/Zbot targets European and Russian banking institutions, Linux/Chapro.A could eventually mount attacks on American banks.

“The attack described in the present analysis shows the increased complexity of malware attacks,” said Pierre-Marc Bureau, ESET security intelligence program manager. “This complicated case spreads across three different countries, targeting users from a fourth one, and making it very hard for law enforcement agencies to investigate and mitigate its effects.”

The malicious module uses capabilities to reduce its chances of system administrators finding it, like setting cookies on the victim’s machine and hiding from web browsers in which it might produce an error. ESET researchers first discovered Linux/Chapro.A in November. ESET first blocked the exploit through generic detection, even before the link added onto the URL blacklist. At the time of the analysis, the malicious command and control server was in Germany, but has recently gone offline.

Based on ESET’s analysis, the iframe injected by Linux/Chapro.A points to a “Sweet Orange” exploit pack landing page.

“At the time of our analysis, the exploit pack was being hosted in Lithuania. The pack tries to exploit several vulnerabilities found in modern web browsers and plugins,” said Bureau. “Our investigation reveals the final purpose of the attack is to install a variant of Win32/Zbot, also known as ZeuS. For many years, ZeuS has been widely used to steal banking related information.”

Once the user logs into his account, the malware will inject a pop-up asking for the user’s CVV code. The malware will then try to send the user credentials along with the CVV to the botnet operator. While the ESET research team has not witnessed any other installations of Linux/Chapro.A in the wild, it has observed thousands of users accessing the “Sweet Orange” exploit pack.

Leave a Reply

You must be logged in to post a comment.