Linux servers targeted by new drive-by iFrame attack
Serves online banking malware
By John E Dunn
December 19, 2012 — Techworld — A new Linux iFrame attack has been spotted, this time one attempting to infect its victims with the Zeus/Zbot bank login stealer, security firm ESET has reported.
The Linux/Chapro.A. attack is starting to look like part of a trend for using 64-bit Apache as a malware conduit, bearing a resemblance to the similarly-crafted but apparently unrelated 'Snasko' rootkit attack discovered last month.
Aimed at Russian and European bank users, Chapro injects malicious content into web pages, targeting Windows users vulnerable to one of several well-known Java, IE and Adobe flaws using the 'Sweet Orange exploit pack hosted on a remote server.
The attack itself throws up a front end to harvest the PIN and CVV verification codes for credit and bank cards.
A secondary main task is to hide itself from admins for as long as possible, dropping a cookie and recording the IP address of the infected machine. That means the PC will not be infected over and over when returning, making it harder for researchers to detect where a given infection happened.
"The attack described in the present analysis shows the increased complexity of malware attacks. This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate its effects," said ESET's Pierre-Marc Bureau.
The main difference between the new attack and Snasko is its greater menace; the latter seemed rough around the edges. This one looks like a fully-functioning attack system, albeit that ESET said it hadn't detected many examples of the attack in the wild.