Apache Module for Mass iFrame Injection Sells for 1K, Automates Exploitation

The web plays a crucial role in malware dissemination, and cyber-criminals are doing all they can to automate infection. If exploit packs have already become mainstream, crooks have taken the game a step further by offering an Apache module capable of injecting iFrames on all pages hosted on the server.

The module is compatible with the Apache web server branch 2.x and allegedly sells on underground forums for about $1,000.

Apache is one of the most popular web server applications that power the web to date. It runs on both Linux and Windows systems and serves web pages when users ask for it. According to Netcraft, Apache is so great that nearly 65 percent of the web pages you visit daily are served by an Apache server.

Large websites usually run on one or more servers alone, but personal websites and blogs are often sharing a server with other websites/customers. By compromising the server and installing this malicious Apache module, the attacker can simultaneously inject iFrames into all pages of all customers. These iFrames are then used to infect visitors of these pages via web exploits, just like happened with the Opera homepage last week.

It`s quite curious how exactly the attacker would manage to install an Apache module on a sever they don`t have root access on.

“The Apache 2.x based stealth module is capable of inserting and rotating iFrames on all pages at a particular website hosted on the compromised server. The process will only work with a cookie+unique IP in an attempt by the cybercriminal behind the kit to make the process of analyzing the module harder to perform. The module would also not reveal the iFrame URL to search engines, Google Chrome and Linux users, as well as local IP,” security researcher Dancho Danchev told NetSecurity.