A malicious Apache module found operating in the wild turns sites running the Internet's most popular Web server into platforms that surreptitiously install malware on visitors' computers.
The plugin, which was discovered by researchers from antivirus provider Eset, is an x64 Linux binary that streamlines the process of injecting malicious content into compromised websites. It was found running on an undisclosed website that exposed end users to a variety of exploits that installed the ZeuS banking trojan, also known as Win32/Zbot. It also pushed malware from Sweet Orange, a newer exploit kit hosted by servers in Lithuania that competes with ZeuS. When Eset discovered the plugin last month, it was connecting to command and control servers in Germany and was being used to target banking customers in Russia and elsewhere in Europe.
"This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate," Pierre-Marc Bureau, Eset's security intelligence program manager, wrote in a blog post. "It is not clear at this point in time if the same group of people are behind the whole operation, or if multiple gangs collaborated, perhaps with one to drive traffic to the exploit pack and sell the infected computers to another gang operating a botnet based on Win32/Zbot."