The Linux/Chapro.A. attack is starting to look like part of a trend for
using 64-bit Apache as a malware conduit, bearing a resemblance to the
similarly-crafted but apparently unrelated ‘Snasko' rootkit attack
discovered last month.
Aimed at Russian and European bank users, Chapro injects malicious
content into web pages, targeting Windows users vulnerable to one of
several well-known Java, IE and Adobe flaws using the ‘Sweet Orange
exploit pack hosted on a remote server.
A secondary main task is
to hide itself from admins for as long as possible, dropping a cookie
and recording the IP address of the infected machine. That means the PC
will not be infected over and over when returning, making it harder for
researchers to detect where a given infection happened.
"The
attack described in the present analysis shows the increased complexity
of malware attacks. This complicated case spreads across three
different countries, targeting users from a fourth one, making it very
hard for law enforcement agencies to investigate and mitigate its
effects," said ESET's Pierre-Marc Bureau.
The main difference
between the new attack and Snasko is its greater menace; the latter
seemed rough around the edges. This one looks like a fully-functioning
attack system, albeit that ESET said it hadn't detected many examples of
the attack in the wild.
No comments:
Post a Comment