Darkleech malware injected invisible iFrames that link to malicious web pages into thousands of web sites, researchers said.
The malware uses an Apache web server module to add the iFrames, although no researchers have found a credible attack vector for the route of the malicious module installation. Darkleech is also very careful when selecting victims to have the iFrames injected into, running a blacklist of users it won’t send dangerous content to. Infected servers are in 48 countries, but are mostly concentrated on sites in the U.S., the UK and Germany.
Networking giant Cisco investigated Darkleech for six weeks in February and March 2013 and found 2,000 infected servers during this period.
Darkleech uses an Apache module to inject invisible iFrames into web pages; the iFrames link to malicious sites where visitors can potentially have their systems compromised using the Blackhole exploit kit, Cisco said. The Blackhole kit uses a number of exploits and targets security holes in Oracle’s Java, Adobe Flash and Reader, and other popular plugins. There are plenty of holes and users often run without up-to-date plugins. One study by WebSense found only one in twenty browsers with Java installed has a current version.
Darkleech uses a subtle approach to hijacking its victims, the researchers said. The iFrames end up dynamically generated by an Apache module when the victim visits an infected site. Web administrators find this difficult to detect because the web site’s own source code remains untouched. Certain IP addresses won’t end up injected with iFrames though, and will go on a blacklist instead – visitors from security and hosting firms end up ignored, as are recently attacked users, various browsers and bots, and those accessing via search from a number of search engines or sites.
Mary Landesman and Gregg Conklin, from Cisco Web Security, sampled 1,239 infected sites as part of their investigation and determined the attackers concentrated their efforts on sites running versions of Apache 2.2.22 or later and typically installed on Linux systems, but how the attackers managed to inject Darkleech remains unclear.
The Darkleech software appears to backdoor the system by replacing the SSH daemon with a specially crafted one. This daemon implements a backdoor which transmits the access credentials of anyone logging in to a third-party site. Given this depth of infection, administrators should revert to a backup copy of the site after reinstalling the system, and ensure all user name and password combinations end up changed.
During the period of the Cisco engineer observation, Darkleech spread on web sites like the Los Angeles Times and a blog belonging to Seagate. The malicious iFrames remained undetected for around a month.