Malicious Apache Module: a clarification

[Update: here's a criticism only combined to his strange blog by Pierre-Marc. As forked out here it appears that what we call Linux/Chapro.A has already been publicly discussed here by UnmaskParasites.We were not wakeful of this element before edition this blog.  Thank we Eric Romang for indicating this out.]

The really grand new blog from Pierre-Marc on ESET Canada’s new work on Linux/Chapro.A has generated lots of seductiveness and some questions, including some from a press. We wanted to clarifiy that, as distant as we’re aware, no Apache disadvantage is now compared with this malware or a other threats highlighted in a post, yet a Sweet Orange feat container does try to feat some famous browser and plug-in vulnerabilities, as Pierre-Marc already noted:

• CVE-2012-5076: Java JAX-WS Class Handling
• CVE-2012-4681: Java getField Method Class Invocation Privilege Escalation
• CVE-2006-0003: Internet Explorer MDAC
• CVE-2010-0188: Adobe Reader LibTiff Integer Overflow

Our friends and colleagues during Kaspersky did, when they pleasantly flagged a article, use a tenure ‘Apache exploit’ though we think they were regulating it in a looser clarity of exploiting a Apache resource for adding modules that aren’t partial of a customary distribution, rather than implying a disadvantage in Apache code. Apache modules are appendage formula holding advantage of a Apache procedure API to extend a functionality of a customary Apache distro. In this case, a binary’s functionality was malicious.

When we discussed this internally, ESET Canada’s Sébastien Duquette said:

We don’t know a specific approach a procedure was installed on a server from that we got a binary. The procedure was installed in Apache around a customary method: in a instance we analyzed, a procedure was named “mod_chart_proxy” though it could be called anything. Users should keep an eye on a modules they have installed in Apache and examine modules they don’t recognize.

As distant as we can tell, no procedure of that name has been purebred with Apache’s modules database, and to a best of my believe Apache has not commented on a issue. There’s substantially no reason because they should.

Pierre-Marc commented:

“No thought how a chapro procedure got onto a server in a initial place, could be diseased password, exposed web application, etc. The user needs high privileges to bucket a procedure so.. he many substantially had base on a machine.”

“We don’t know who is swelling this though substantially a squad specializing in such attacks, afterwards renting “traffic” to other groups, we assume in this box a organisation that uses honeyed orange to implement zbot.”

Cameron Camp said:

It seems really doubtful that a procedure would have come from an central distro’s repositories, or a problems would be distant some-more widespread. It is most some-more expected that a brute formula only got uploaded someplace on a server and apache is/was only doing what it was told.

Stephen Cobb added:

However, we also need to cruise a procedure could have been partial of a depraved Linux placement or focus package.

Here, once again, are a MD5 hashes for a formula that ESET Canada analysed. However, it’s some-more than probable that a same or identical formula will spin adult again with a opposite hash.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

.

Related Posts: