A malicious plug-in that purports to be from the Apache Foundation is actually a Trojan that infects Linux-based Web servers, which then become distribution centers for the Zeus banking Trojan.
The unpleasant Apache module, Linux/Chapro.A, was discovered on an undisclosed website by the Slovak anti-virus software company ESET. According to the firm, the plug-in also sends out malware from the Sweet Orange exploit kit, a hack-by-numbers tool available from a server in Lithuania, and also tries to exploit previously patched holes in Java, Microsoft Internet Explorer and Adobe Reader.
The cybercrime trail doesn't end there, though. The researchers said Chapro called back to a command-and-control server in Germany but claimed victims in Russia and other European states.
Apache's free Web-hosting software is the most widely used hosting platform in the world.
"This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate," wrote ESET security intelligence manager Pierre-Marc Bureau in a blog posting. "It is not clear at this point in time if the same group of people are behind the whole operation, or if multiple gangs collaborated.”
Bureau chose not to disclose how the hackers managed to pull off the plug-in hack, but Ars Technica pointed out that many websites fall into criminals' hands following a data breach.
Bureau also pointed out that the nasty plug-in was likely made by a third party and was not issued by the Apache Foundation.
In order to protect yourself from drive-by downloads and other Web-hosted malware, be sure to run robust anti-virus software no matter which operating system you run.