A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23856  by unixfreaxjp
 Wed Sep 10, 2014 10:31 pm
I write long analysis in here: http://blog.malwaremustdie.org/2013/03/ ... pache.html
Description in one sentence:
This web server's evil "dot"so ELF module is patching the Linux web server service to redirect specific HTTP access request under several condition to the malicious infection scheme URL.
Infection:
It needs a way to exploit a NIX server to gain privilege to install its module into the web server module's configuration file.
In 2013 the infection caused by penetration via exploit(0day) of cPanel was causing huge problem, I was personally helping cleaning up more than 300 servers that redirecting victims to BH EK that time. Thank you to @kafeine for the hint.

Reference:
http://download.yandex.ru/company/exper ... c_2012.pdf
http://blog.unmaskparasites.com/2012/08 ... njections/
http://eromang.zataz.com/2012/12/20/isn ... he-module/
http://blog.0day.jp/2013/03/ocjp-098-28 ... t-kit.html
(there are other source/news afterward..)

Source of threat:
Image

Redirection recorded in real case:
Image
Following the redirection ↑above by the exploitation (from an exploit kit):
Image

Samples:
https://www.virustotal.com/en/file/ece1 ... 384810988/
https://www.virustotal.com/en/file/94ef ... 391033849/

malwaremustdie.org
Attachments
7z,pwd:infected
(20.55 KiB) Downloaded 68 times