All the latest UK technology news, reviews and analysis


Apache Darkleech PDF and JavaScript attacks infect hundreds more websites

22 May 2013
Apache Software Foundation feather logo

Cybercrooks running the Apache Darkleech JavaScript attacks have become more tenacious, infecting hundreds more websites, according to security firm Zscaler.

The security firm reported a marked increase in the number of websites falling victim to the Darkleech attack on Wednesday, warning that many of them are hosted in the UK.

Zscaler's Krishnan Subramanian wrote: "The Apache Darkleech attack has been in the news for quite some time now. The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page.

"We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the BEK version 2. We identified the following sites being compromised in the past week within observed Zscaler traffic."

Subramanian said that the complex nature of the attack's exploit method makes it difficult to know exactly how many sites have been affected, making tracking and combating the threat a difficult task.

"The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection. However, this URL was not accessible (404 error response) at the time of writing, hence it was not possible to retrieve the malicious binary file," explained Subramanian.

"Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the Darkleech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections can be a challenging task."

The attack was already believed to have infected thousands of websites when it was first uncovered earlier this year. Subramanian said businesses or website owners that are worried their site has been infected should contact their Apache server host to ensure they have installed the CVE-2012-1557 security patch to fix the flaw.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
23%
14%
4%
17%
30%
12%

Popular Threads

Powered by Disqus
Galaxy S5 vs iPhone 5S vs Nexus 5 showdown

Galaxy S5 vs iPhone 5S vs Nexus 5

We speed test three of the most popular smartphones

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Digital Project Manager - Creative Technology House

Digital Project Manager - Creative Technology House Henley...

SQL Database Adminstrator (DBA) SQL 2012, SSIS, Windows 2012

SQL Database Adminstrator (DBA) SQL 2012, SSIS, Windows...

SharePoint Lead Developer - SharePoint 2013, C#, .Net

SharePoint Lead Developer – SharePoint 2013, C#, .Net...

Infrastructure Analyst - Storage, SAN, EMC, VMWare, Exchange

Infrastructure Analyst - Storage, SAN, EMC, VMWare, Exchange...
To send to more than one email address, simply separate each address with a comma.