The classic term for an unknown computer security hole is “zero-day,” as in “It has been zero days since security experts discovered and began patching the responsible hole.” In the dark dungeons of the Internet, where they keep binders full of women and over 9,000 script kiddies harass Oprah, there are three or four applications that are always the target of zero-day research.
At the top of that list, naturally, is SSH. This typically manifests as an exploit for OpenSSH, and one or two such exploits tend to surface every other year or so. Only slightly behind OpenSSH in terms of target popularity is anything that touches SSL, with OpenSSL being a popular target as well.
But, honestly, the biggest, baddest zero-day you can have is an Apache Web Server zero-day. Apache is the world’s most popular Web server, and if you’re able to circumvent administration security on any old installation of the Web Server, you’ve essentially got 60% of the Internet under your control.
But hacking the Apache Web Server isn’t easy. It’s a hardened application, and when an Apache zero-day is out there in the wild, it typically doesn’t take long for the security world to realize it. After all, when a whole bunch of very high-profile sites get hacked in close time proximity to one another, you’d do well to put your money on there being an Apache zero-day in the hands of some motivated hackers.
So, hackers have taken to a new tactic: replacing or augmenting Apache on a compromised system. The Sucuri Blog has written about this.
Sucuri explained that hackers have been installing nefariously designed Apache mods to maintain control over servers they’ve compromised. But that wasn’t enough, evidently: “During the last few months, we started to see a change on how the injections were being done. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated, and we worked with our friends from ESET to provide this report on what we are seeing,” wrote Sucuri’s Daniel Cid.
What does this mean? It means you’d better check your MD5s on Apache installations. All the security in the world can’t fix a Web server that’s been compromised at the binary level. Stay safe, and trust no binaries!