New Malicious Module Attacks Unnoticed
Online attackers usually exploit webpages by adding malicious scripts to HTML pages or specific code that triggers “drive-by downloads.” Unfortunately, a new attack discovered last Friday called Apmod not only infects webpages but infects the web server itself. When a web server gets infected, each user that requests a web page from the infected server is a victim. Although this new attack is not yet widespread, it has the potential to be, it targets popular Apache Web Servers that run on both Windows and Linux. Apache Web Servers currently host about 204 million websites.
Apmod works by infiltrating Apache’s normal built-in filters. Computer engineers have discovered this malicious module that performs identical steps that normal advertisements use to include links to websites. The module uses legitimate code provided by Apache API that was built for on-the-fly content generation (the same used for advertisements). What makes the module so dangerous is not necessarily that it tries to infect every web page it serves, but more importantly that it contains many anti-detection mechanisms. One of which is that the module “watches” out for signs of administrator access or processes and avoids serving malware to search engines.
Additionally, when it servers a web page with infected links, the module temporarily blacklists the user’s IP address to avoid delivering multiple infected web pages- which makes an attack easier to detect. The good news is that the hacker needs administrator-level access to install the module on a server, which is not very common with major websites. also, the recent Sony hack was done by using SQL injections.