The investigation with Linux/Cdorked.A continues. There have been significant discoveries that this subtle and sneaky backdoor is designed to drive traffic to malicious websites.
- There are over four hundred webservers infected with the Linus/Cdorked.A. 50 ranked at Alexa's top 1000,000 hottest websites.
- The backdoor has been applied to alternative webserver daemons. Lighttpd and nginx binaries have already been documented Apache binaries.
- The Linux/Cdorked.A threat is even more sneaky than thought. The malicious content is not delivered to victim's IP address' that have long IP ranges.
- If the internet browser's language is set to Japanese, Russian, Finnish, Ukrainian, Kazkh, or Belarusian, it will not be affected.
- 1000,000 user's of ESET security products have browsed these infected websites by being redirected. Even though the attack was blocked.
- In some cases fo the configurations, the tendency to analyze specific re directions were designed for Apple iPad and iPhone users.
These victims are redirected to a malicious web server that is hosting a Blackhole kit. The infrastructures use compromised DNS servers, that's how they are able to get into them. There is belief that the infection vector is not unique. It can not be attributed only to installations of cPanel as a result of solely a fraction of the infected servers square measure exploitation this management software system. This malware doesn't propagate by itself and it doesn't exploit any vulnerability during a specific software system. Linux/Cdorked.A may be a backdoor, employed by malicious actor to serve malicious content from legitimate websites.
Typical Linux/Cdorked.A configuration
Thanks to the system administrators and Sucuri, the code has been reviewed and analyzed. The configurations so far are only with a single URL. The redirect is served to people using Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7. iPhone and iPads are also victims, they are not directed to the exploit kit but instead pornographic websites.
Please visit http://www.hyphenet.com/blog/ for more blog posts on the latest technology and IT security news.
In analyzing web traffic of the targeted websites, over 400 were identified with being affected by Linux/Cdorked.A. 50 of those sites are in the 100,000 websites ranked by Alexa. All of these re directions have something in common. The efforts in keeping their operation under the radar are putting in as much resistance as possible. These sites are more concerned with not being detected instead of infecting as many as possible.
Hijacking the DNS
The URLs on the Linux/Cdorked.A infected servers adjust often. The domain usually looks like numbers or letters. The sub domain also matches a 16 character hexadecimal string. The numbers at the beginning of the domains were hosting sites and shared hosting servers. The pages that show pornographic images and links contain an iframe leading to the Blackholde landing page. There is no clarity on if the pornographic domains are malicious or referred.
It is recommended to keep browsers, browser extensions, operating systems, and third party software like Flash players and PDF's up to date to avoid these infections. Antiviruses are always recommended.