I write long analysis in here: http://blog.malwaremustdie.org/2013/03/ ... pache.html
Description in one sentence:
This web server's evil "dot"so ELF module is patching the Linux web server service to redirect specific HTTP access request under several condition to the malicious infection scheme URL.
Infection:
It needs a way to exploit a NIX server to gain privilege to install its module into the web server module's configuration file.
In 2013 the infection caused by penetration via exploit(0day) of cPanel was causing huge problem, I was personally helping cleaning up more than 300 servers that redirecting victims to BH EK that time. Thank you to @kafeine for the hint.
Reference:
http://download.yandex.ru/company/exper ... c_2012.pdf
http://blog.unmaskparasites.com/2012/08 ... njections/
http://eromang.zataz.com/2012/12/20/isn ... he-module/
http://blog.0day.jp/2013/03/ocjp-098-28 ... t-kit.html
(there are other source/news afterward..)
Source of threat:
Redirection recorded in real case:
Following the redirection ↑above by the exploitation (from an exploit kit):
Samples:
https://www.virustotal.com/en/file/ece1 ... 384810988/
https://www.virustotal.com/en/file/94ef ... 391033849/
malwaremustdie.org
Description in one sentence:
This web server's evil "dot"so ELF module is patching the Linux web server service to redirect specific HTTP access request under several condition to the malicious infection scheme URL.
Infection:
It needs a way to exploit a NIX server to gain privilege to install its module into the web server module's configuration file.
In 2013 the infection caused by penetration via exploit(0day) of cPanel was causing huge problem, I was personally helping cleaning up more than 300 servers that redirecting victims to BH EK that time. Thank you to @kafeine for the hint.
Reference:
http://download.yandex.ru/company/exper ... c_2012.pdf
http://blog.unmaskparasites.com/2012/08 ... njections/
http://eromang.zataz.com/2012/12/20/isn ... he-module/
http://blog.0day.jp/2013/03/ocjp-098-28 ... t-kit.html
(there are other source/news afterward..)
Source of threat:
Redirection recorded in real case:
Following the redirection ↑above by the exploitation (from an exploit kit):
Samples:
https://www.virustotal.com/en/file/ece1 ... 384810988/
https://www.virustotal.com/en/file/94ef ... 391033849/
malwaremustdie.org
Attachments
7z,pwd:infected
(20.55 KiB) Downloaded 68 times
(20.55 KiB) Downloaded 68 times
