According to a report in Ars Technica, Darkleech has probably infected around 20,000 websites in just the last few weeks. This figure is based, says Ars Technica, on almost 2000 Darkleech infections discovered by Cisco. “Assuming the typical webserver involved hosted an average of 10 sites, that leaves the possibility that 20,000 sites were infected over that period.” The reality, however, is that no-one knows how many sites are infected.
The process starts with the attackers gaining root access to the servers. How they do this is the biggest puzzle (“researchers aren't ruling out the possibility of password cracking, social engineering, or attacks that exploit unknown bugs in frequently used applications and OSes,” suggests Ars.) But once rooting has been achieved, servers “are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious Apache modules,” explains Cisco’s Mary Landesman. One such malicious module is Darkleech.
Once infection is achieved, the malware goes to considerable effort to remain undiscovered. It infects visitors by dynamically injecting iFrames into the web page only at the point of being visited. It further does so conditionally based on its own blacklist of search engine spiders, and the IP addresses of researchers, site owners, and the compromised hosting providers. It also checks the referrer URLs to ensure that the visitor has arrived via valid search engine results, and checks browser User Agents to limit targeting to Windows users.
The result is a webserver infection that is difficult to detect and possibly more difficult to remove. The affected website owners, for example, “will not be able to detect or clean the compromise as (a) it is not actually on their website, and (b) most will not have root-level access to the webserver,” comments Landesman. Two weeks ago Malware must Die! published a detailed analysis of Darkleech. In this, it comments, “Since the root were gained in all infected servers, there is no way we can trust the host or its credentials anymore, we suggest you to offline the machine and use the backup data to start new service, AND remember to change all of server's user since there are strong possibilities the leaked server's admin credentials.” There is, then, a strong commercial incentive for the web hosting companies to deny or ignore any evidence of infection. Even if Darkleech itself is cleansed, the root will remain to be reused by the attackers.
What all this means is that end users must redouble their efforts to remain safe against such unseen threats on the internet. “The infected site contains javascript that injects an [invisible] iFrame,” ESET senior research fellow David Harley told Infosecurity, “and that pushes the computer user who accessed the site towards an exploit kit. So it's hard to see what an end user can do by way of self-protection apart from keeping up to date on patches and security software.” Harley discussed a Darkleech campaign under the name of Linux/Chapro.A in December last year.