ESET antivirus company reported the detection of new malware Linux / Chapro.A, used by hackers to launch attacks on visitors to a site hosted on compromised Linux-servers.
Feature of the Linux / Chapro.A is that malicious code is designed as a module for http-server Apache, substitution occurs exploit browsers iframe or JavaScript-blocks in traffic is serviced sites.
It is noteworthy that in the module includes several techniques to hide its presence. In particular, the module uses a cookie and log IP-addresses of visitors to the organization of the introduction of malicious iframe client only once (when you reopen the page that it is not malware), except that the module does not perform substitution for the IP-addresses that were registered SSH login to the server, which prevents administrators to find out how the machine was infected and from which it was obtained by site with malicious code. The module also includes a sewn-base ID search page and leaves intact, in case of treatment crawlers. Such a feature makes it difficult to identify the mass affected by malicious server module and auto-tagging of the danger in the output of search engines.
Being introduced in iframe-page unit is aimed at the user of Windows and contains a link to download the standard set for exploiting vulnerabilities in Internet Explorer, Adobe Reader and Java-plugin. In case of successful operation on the client machine is installed Trojan software ZeuS (Win32/Zbot) to intercept passwords and bank accounts.
Malicious apache-module was found on a compromised server in binary form, collected for 64-bit systems. How the server was hacked not reported, as the most likely scenario is considered leak SSH-keys or passwords from the machine administrator (for some of the hacked servers simultaneously revealed facts hacking machines their administrators).