Malicious Apache module used for content injection: Linux/Chapro.A

From Botnets.fr
Revision as of 15:29, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Malicious Apache module used for content injection: Linux/Chapro.A
Botnet
Malware Chapro
Botnet/malware group
Exploit kits Sweet Orange
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012-12-20
Editor/Conference ESET
Link http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a blog.eset.com (blog.eset.com Archive copy)
Author Pierre-Marc Bureau
Type Blogpost

Abstract

More than half of all web servers on the Internet use Apache, so when we discovered a malicious Apache module in the wild last month, being used to inject malicious content into web pages displayed by compromised web servers, we were understandably concerned. Our concern deepened when we discovered that this malware was being used in a scheme to steal banking credentials.

At first, we wondered if this code might be related to the Linux/Snasko.A rootkit reported to the Full-Disclosure mailing list and then analyzed by CrowdStrike and Kaspersky but it turns out this is a completely different beast.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1271,
   editor = {ESET},
   author = {Pierre-Marc Bureau},
   title = {Malicious Apache module used for content injection: Linux/Chapro.A},
   date = {20},
   month = Dec,
   year = {2012},
   howpublished = {\url{http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a blog.eset.com}},
 }