Linux/Cdorked Malware Attacking Some of the World’s Top Web Servers

As reported by the IDG News Service, a strain of covert malware called Linux/Cdorked is attacking some of the world’s highest-profile web servers – and to make things even more alarming, nobody’s quite sure yet how it got there…or where it may head next.

The malware alarm bell was set off last week by two security companies, Eset and Sucuri, which discovered (so far) 400 Apache web servers infected with Linux/Cdorked – 50 of which are ranked by Alexa as among the world’s most popular 100,000 websites.

The Linux/Cdorked malware, which was first detected in December 2012, secretly redirects visitors using IE or Firefox on Microsoft’s XP, Vista or 7 OS to a compromised website that hosts the Blackhole exploit kit, which attempts to find and take advantage of software vulnerabilities. The redirect commands run in memory only, which is why they aren’t captured by Apache logs. There is also some evidence to suggest that the cyber criminals behind the attack have compromised some DNS servers.

And what about iPad and iPhone visitors? Well, the good news is that they aren’t redirected to the Blackhole exploit kit. The bad news is that they’re redirected to pornography sites, instead.

It’s also notable that, so far, the attack seems to targeting entities in specific geo locations, as it has been sparing people in specific IP ranges, or if their browser’s language is Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian.

As for the clean up, Linux/Cdorked is hard to find – but it’s not an impossible task, as the malware creates a modified httpd binary on a victim’s hard drive, which can be detected.