Darkleech – malicious Apache mod anti-forensics – client-side.

2013.03.18

I wrote about Darkleech last year, and one of questions remain  – among anti-forensics features of it, that seller declared, were:

– frame delivered to unique users only, no frame on repeat. 

So – How it looks like for victim and how implemented?

Since than Linux/Chapro.A was posted in SecLists and  analysed by Kaspersky and ESET.

Afterwards Eric Romang provided some details, that it appear to be version of Darkleech module.

And here it appear again: UnixFreaxJP blog report about massive attack on Japanese segment of Internet.

Well, It’s time to see, is it DarkLeech and how anti-forensics implemented there from client PoV 🙂

Ok. Let’s see on any of servers that in list:

Read more…

DarkLeech – malware mod for Apache.

2012.09.16

It was expected, actually…

But – from the beginning.

Few last weeks I read about some strange malicious activity on Apache servers (WebmasterworldUnmaskParasites.com):

Iframe with malicious code was injected in multiple pages of Apache server dynamically.

Standard cleanup was not helpful at all, multiple co-located hosts were infected the same way.

Any website, moved to new server, became clean << When I saw this, it became obvious, that compromise is part of web-server itself, not per site.

So – I made a little research, and found  new product on black market, that You may be interested in 🙂

Read more…