In the code, the Cascading Style Sheet class name, positioning, IFRAME size, random string and IP or domain are all variable. When injected into a site’s included JavaScript files, the code is wrapped in a “document.write()” method.
While some minor variation on this style has been observed, all follow a similar pattern to the code above and all injections seen by CERT Australia have used the “q.php” file in the URL.
Indicators of compromise
There are several files on the systems which may confirm compromise by the DarkLeech malware.
Temporary files
DarkLeech stores temporary files in the system’s /var/tmp directory. These files are known to contain a variety of information regarding banned IP’s. The files take the following format:
sess_<32 character random character string>
Module location
There are a variety of locations where the Apache HTTP Server may store modules, though each distribution ordinarily limits this to a small number of directories. It is possible for an administrator or malicious actor to include modules from other locations so incident responders should be aware of the locations utilised by a particular server’s installation.
For example, it is common for the following distribution types to use the following folders to store or link to modules:
Redhat-derived distributions
/usr/lib64/httpd/modules
/usr/lib/
/lib64/
Debian-derived distributions
/usr/lib/apache2/modules
/etc/apache2/mods-available
/etc/apache2/mods-enabled
Additionally, CERT Australia has observed several cases where a “LoadModule” directive has been inserted into a configuration file located in /etc/httpd/conf.d/ or /etc/apache2/conf.d/ directory which loads the DarkLeech module during server start-up.
Identification and verification of the malicious module’s origin can be made by utilising the distribution’s package management tools (such as “rpm” or “dpkg”). Quarantining of the module(s) and removal of the references from configuration files will prevent further malicious code insertions by DarkLeech. Some files have been observed to make use of the filesystem’s extended attributes to prevent deletion and would need to be modified for successful removal.
Other compromised files and services
CERT Australia has received reports that other packages on affected systems have also been compromised, including a number of binaries related to the Secure Shell (SSH) services. Additionally, generic PHP backdoors have also been reported and thus incident responders need to be aware that a malicious Apache module is unlikely to be the only unauthorised file on the system. Depending on the level of compromise, detection of malicious artefacts may only be possible by examining the filesystem when offline.
Specific recommendations
Although the method of initial compromise related to the DarkLeech module is not currently known, CERT Australia suggests that partners consider the following specific mitigations to protect against this cyber security risk:
-
Update Operating System, Apache Server and Content Management System software to the latest version or patch levels;
-
Make use of system file integrity and Rootkit monitoring tools;
-
Conduct remote website monitoring for detection of injected code;
-
Consider utilising data backups to recover the system on a new Operating System installation.
-
After system recovery and mitigation has taken place, change operating system, application and user passwords from a computer system known to be free of malicious software.
Please contact CERT Australia for YARA or CLAMAV detection signatures.
General recommendations
CERT Australia suggests that partners consider the following general mitigations to protect against this and other cyber security risks:
-
Use application white-listing to only allow specifically authorised applications to operate on networks. This mitigation helps prevent malicious software or unauthorised applications from executing.
-
Ensure that applications and operating systems are kept up-to-date with the latest software patches.
-
Ensure that users are restricted from, or are administratively prohibited from installing unauthorised software and browsing the internet with administrator privileges.
-
Remove, disable, or rename any default system accounts wherever possible.
-
Enforce strong passphrase policies to reduce the risk from brute forcing attempts.
-
Implement account lockout policies to reduce the risk from brute forcing attempts.
-
Monitor the creation of administrator level accounts by third-party vendors.
-
Monitor intrusion detection and/or prevention systems, user logs and server logs for suspicious behaviour.
-
Use defence-in-depth methods in system design to restrict and control access to individual products and control networks.
-
Take measures to minimise network exposure for all control system devices. Critical devices should not be directly exposed to the internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network.
-
When remote access is required, use secure methods such as Virtual Private Networks (VPNs) with two factor authentication.
-
Ensure that computer systems are running antivirus software with the latest antivirus signatures.
-
If infected, review your antivirus software specific removal guidelines for the malware.
-
For other mitigation please refer to the “Strategies to mitigate targeted electronic intrusions” publication. [1]
Please contact CERT Australia on 1300 172 499 or info@cert.gov.au if you observe activity corresponding to this publication, or if you have any questions concerning the publication, its content or its application.
Links
-
https://www.cert.gov.au/advisories
Further information
-
http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/
-
http://blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html
Feedback
CERT Australia is interested in any feedback you may have with respect to this update and/or the service we provide. Please email info@cert.gov.au or call 1300 172 499, if you would like to provide us with any comments.
NOTE: Organisations need to consider the sensitivity of information sent to this email address as it will be ‘in the clear’ and not secure. If needed, secure communication channels for sensitive or incident related information are available on request.
Incident reporting
Partners observing any activity connected to this publication are requested to contact CERT Australia at info@cert.gov.au or 1300 172 499. This information is used to form an understanding of Australia’s cyber threat context. All information is handled internal to the CERT and in strict confidence. Secure communications mechanisms are available on request.
About CERT Australia
CERT Australia’s primary responsibility is to develop close working relationships with critical infrastructure organisations and businesses that operate systems that are important to Australia’s national interest. In this way, CERT Australia is able to help ensure that important services all Australians rely on in their daily lives, are secure and resilient.
In addition to any internal or regulatory requirements that may be in place, CERT Australia partners can report cyber threats and incidents to CERT Australia on 1300 172 499. This telephone number assists CERT Australia to rapidly respond to incidents impacting those services that are critical to all Australians.
Cyber crime involves the unauthorised access to or impairment of computer systems and is likely to constitute an offence under the Commonwealth’s Criminal Code Act 1995 and/or state and territory criminal laws. If CERT Australia partners suspect they have been the victim of cyber crime they should report it to the Australian Federal Police.
|
CERT Australia
SENSITIVE INFORMATION TRANSMISSION
Restrictions on Access and Use
Traffic Light Protocol
|
TLP CLASSIFICATION
|
RESTRICTIONS ON ACCESS AND USE
|
RED
|
Highly Restricted
Access to and use by your CERT Australia Security Contact Officer only.
You must ensure that your CERT Australia Security Contact Officer does not disseminate or discuss the information with any other person, and you shall ensure that you have appropriate systems in place to ensure that the information cannot be accessed or used by any person other than your CERT Australia Security Contact Officer.
|
AMBER
|
Restricted internal access and use only.
Subject to the below, you shall only make ‘AMBER’ Alerts available to your employees on a “needs to know basis” strictly for your internal purposes only to assist in the protection of your information and communications technology (ICT) systems.
In some instances you may be provided with ‘AMBER’ Alerts which are marked to allow you to also disclose it to your contractors or agents on a “needs to know basis” strictly for your internal purposes only to assist in the protection of your ICT systems.
|
GREEN
|
Restricted to closed groups and subject to confidentiality
You may share ‘GREEN’ Alerts with external organisations, information exchanges or individuals in the network security, information assurance or critical network infrastructure community that agree to maintain the confidentiality of the information in the Alert.
You may not publish or post on the World Wide Web or otherwise release it in circumstances where confidentiality may not be maintained.
|
WHITE
|
Not restricted
‘WHITE’ Alerts are not confidential. They contain information that is for public, unrestricted dissemination, publication, web-posting or broadcast. You may publish the information, subject to copyright and any restrictions or rights noted in the information.
|
NOT CLASSIFIED
|
Any information received from CERT Australia that is not classified in accordance with the Traffic Light Protocol must be treated as ‘AMBER’ classified information unless otherwise agreed in writing by the AttorneyGeneral’s Department.
|
This document remains the property of the Australian Government. The information contained in this document is for the use of the intended recipient only and may contain confidential or privileged information. If this document has been received in error, that error does not constitute a waiver of any confidentiality, privilege or copyright in respect of this document or the information it contains. This document and the information contained herein cannot be disclosed, disseminated or reproduced in any manner whatsoever without prior written permission from the Assistant Secretary, CERT Australia, Attorney-General's Department, 3 - 5 National Circuit, Barton ACT 2600.
The material and information in this document is general information only and is not intended to be advice. The material and information is not adapted to any particular person’s circumstances and therefore cannot be relied upon to be of assistance in any particular case. You should base any action you take exclusively on your own methodologies, assessments and judgement, after seeking specific advice from such relevant experts and advisers as you consider necessary or desirable. To the extent permitted by law, the Australian Government has no liability to you in respect of damage that you might suffer that is directly or indirectly related to this document, no matter how arising (including as a result of negligence).
WHITE
32>
Share with your friends: |