STE WILLIAMS

According to Hollywood, spies have access to all sorts of gizmos that mere civilians could only dream of playing with.

But it turns out that American secret agents use Google just like the rest of us. Now we are able to find out exactly how, following the publication of a hush-hush spooks’ guide to the internet.

A 651-page tome called Untangling the Web has been published under freedom of information legislation. It is the 12th version of a guide written by experts at the US National Security Agency (NSA) and dates back to 2007.

The book may not be a particularly sexed-up dossier, focusing mainly on search tips for secret agents, but contains several clues about the NSA’s focus on the Middle East, Russia and China.

It opens with the tale of a Grand Vizier of Persia, Abdul Kassem Ismael, who owned 117,000 books and commissioned a caravan of 400 camels to carry them in alphabetical order – something no self-respecting spy needs to do in the modern age. Latter-day spooks can now use Google to search the “darned big” web, the document insists.

The anonymous author wrote: “After a decade of researching, reading about, using and trying to understand the internet, I have come to accept that it is indeed a Sisyphean task. Sometimes I feel that all I can do is push the rock up to the top of that virtual hill then watch as it rolls back down again.”

The most interesting part of the document focuses on Google hacks, which shows spooks how to search for unsecured documents. Potential Google ninjas can learn how to use search terms like “filetype:” or “site:” to look for specific file types on specific websites.

In a nod to practicality, the NSA reminds its staff to try looking for documents or files at the website of China’s foreign ministry (rather than its main government website) because there are likely to be more results in English.

It also recommends “URL guessing” by telling agents that Russian websites often use the name of cities in their web addresses.

Agents should also pay attention to cultural differences, advises the NSA’s Googler-in-chief, who points out that using an Arabic spelling of Mohammed will return quite different results from using the English spelling.

Similarly, using localised search engines such as Baidu or regionalised Google variations will result in significantly different results than in the USA, says the author, who cites the example of searching for Basque separatist terror group ETA on Spanish search engines and comparing those to US-centric results.

Anyone looking to find out dialling codes for Russia is advised to visit the Russian Brides website as, “after all, these folks are running a business and must provide accurate information about how to contact their clients”.

Wikipedia also got its first entry in the dossier, because of its “growing importance”. However, the book contains the following advice familiar to any Reg reader (and journalist):

“Do not rely on Wikipedia as as your sole reference or source of information.”

Despite the wide variety of search techniques detailed in the book, the NSA is quick to reassure upstanding spooks that nothing he’s teaching them is illegal:

“Lest you think I am spilling the beans here, I assure you I am not revealing anything that is not already widely known and used on the internet both by legitimate and illicit Google hackers.”

Other insights into the workings of the NSA’s online division comes in the admission that agents were “never impressed” with Ask Jeeves, with its “annoying butler icon” and the “unfulfilled promise of answers to natural language queries”.

To spies who find themselves stuck on how to use certain technologies or software, the author passes on the following strategy:

“Read the instructions.”

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/10/spies_guide_internet/

The German education ministry has binned new computers infected by the infamous Conficker worm – and bought replacements – rather than attempting to disinfect the machines.

It emerged this week that a grand total of 170 PCs and servers at German teacher training institutes in Schwerin, Rostock and Greifswald were dumped soon after they became infected with the notorious worm in September 2010. The decision cost German taxpayers €187,300 (£158,291).

Simply cleaning up the malware would have cost €130,000 (£110,000), Heise reports, reflecting a cost difference of €57,000 (just over £48k). The bill, which also included data restoration costs, only emerged through a recently published audit report.

More details on the outbreak and its aftermath are revealed on page 154 of a report [PDF, German] by auditors at the State of Mecklenburg-Vorpommern, which reports that the teacher training colleges had left themselves wide open to attack by failing to create a up-to-date security policy.

Auditors were unable to apportion blame for the spread of the Conficker worm. “It remains unclear if the anti-virus product had some issues, or if the outbreak was caused by technical or human failure,” the auditors concluded, according to a translation of their report sourced by Sophos.

A blog post by the security software firm concludes that a combination of basic antivirus scanners (which might even be available at low or no charge to educational institutes) and backup software ought to have been enough to thwart the well-known threat.

That’s as may be, but it’s worth noting that Conficker has caused all sorts of problems at many organisations worldwide.

Conficker (AKA Downadup) first appeared in November 2008, using a then recently patched vulnerability in Windows Server Service to wiggle its way into insecure systems. The malware also spread via infected USB sticks, which became its main route of infection as time passed.

It was the worm’s aggressive scanning routines that caused the greatest headache rather than any other action it performed on infected machines. Hosts networks of infected PCs became swamped with bandwidth-sucking traffic and clean-up was far from straightforward. Early victims included the Houses of Parliament and the UK’s Ministry of Defence.

Months later, secondary infections began cropping up in a variety of hospitals. Infection of the network of Greater Manchester Police prompted the force to take the unprecedented step of suspending access to the police national computer, as a precaution against the further spread of the worm, for several days back in February 2010.

The peak zombie headcount created by the botnet peaked at over six million PCs, more than enough to create all sorts of mayhem. Backdoored PCs were, of course, wide open to secondary infection but not much malfeasance along these lines actually took place.

Windows PCs infected with the C variant of Conficker were programmed to download Spyware Protect 2009 (a scareware package) and the Waledac botnet client, malware that turned zombie drones into conduits for spamming.

The spread of the worm prompted Microsoft to team up with allies in the field of information security including Trend Micro, Sophos and VeriSign to form the Conficker Working Group. The group succeeded in neutralising domains programmed to act as control hubs for the infamous worm. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/10/german_ministry_dumps_conficker_pcs/

India has joined the list of companies concerned about allowing the installation of telecoms kit from Chinese companies Huawei and ZTE.

The USA has banned the pair from winning contracts connecting phones from sea to shining sea, citing security concerns (although many feel its real worry is protecting local companies).

Australia forbade Huawei from supplying the nation’s nascent national broadband network, on security grounds. Australia’s decision was made just a few weeks after a visit by Barack Obama, who’s retinue is believed to have offered Australian authorities a briefing on the risks posed by Huawei.

The Hindustan Times now says India has expressed similar concerns. The Delhi-based paper reports India’s Department of Telecommunications has responded to a request from the nation’s Cabinet and will establish a lab to test for the presence of “Spyware, Malware and bugging software” in telecoms kit.

India’s not a noted manufacturer of telecoms networking kit, so perhaps western suppliers like Cisco and Alcatel will also be forced to submit their products for a going-over.

Whoever ends up on the list of must-be-tested vendors, any hunt for spyware and malware may well be futile as the torrent of accusations against Huawei and ZTE have never suggested their kit phones home, leaks packets or does anything so crude that it could be easily detected in a lab or escape the attention of a network operator.

Security specialists of Vulture South’s acquaintance have suggested the threat the Chinese vendors pose may be far more subtle, with some circumstances perhaps requiring the companies’ staff to perform certain types of maintenance. At those moments, maybe when USB drives containing “firmware updates” are inserted, interesting things might just happen. Staff bearing those drives may or may not know about their true payload or have loyalties that go beyond the provider of their paycheck.

Whatever the exact nature of the threat Huawei and ZTE are supposed to pose, the former clearly knows it has a lot to do to regain trust. That ongoing effort this week saw Huawei founder and CEO Ren Zhengfei visit New Zealand, declare it “a wonderful, progressive country” and talking up the company’s plan to spend lots of money and hire lots of people in the land of the long white cloud.

Ren also offered the following comment on the USA’s opinion of his company:

“Huawei equipment is almost non-existent in networks currently running in the U.S. We have never sold any key equipment to major US carriers, nor have we sold any equipment to any U.S. government agency. Huawei has no connection to the cyber security issues the U.S. has encountered in the past, current and future.”

One suspects a similar visit to India might not be far off. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/10/india_to_test_huawei_and_zte_kit/

Alleged SpyEye kingpin Hamza Bendelladj now faces a 23-count computer hacking and fraud indictment following his extradition from Thailand to the US last week.

Bendelladj, a 24-year-old Algerian national, is suspected by the FBI of making millions from selling the SpyEye banking Trojan toolkit to cybercrooks through various underground online marketplaces and carding forums.

SpyEye is a customisable Trojan with varying components that is widely used to steal bank account login information from compromised PCs. The malware ranks alongside ZeuS as the two worst pathogens of their kind. The developers of SpyEye and Zeus started out as rivals, but since April 2011 evidence in the malicious code itself as well as posts on underground cybercrime forums suggest the two groups are collaborating.

Often cybercrime arrests net phishing mules, low-level crooks who are paid to run bank accounts designed to receive looted funds from compromised accounts. The Feds allege that Bendelladj operated much higher up the food chain.

Bendelladj (alleged to operate under the handle Bx1) faces 11 counts of computer fraud, 10 counts of wire fraud and two conspiracy charges. US investigators alleged that between 2009 to 2011, Bendelladj and unnamed cohorts “developed, marketed and sold various versions of the SpyEye virus and component parts on the internet and allowed cybercriminals to customise their purchases to include tailor-made methods of obtaining victims’ personal and financial information.”

Bendelladj is also alleged to have operated Command and Control (CC) servers linked to the banking botnet. One of the files on a SpyEye CC server hosted in Georgia contained information from approximately 253 unique financial institutions, the FBI said.

If convicted on all counts, Bendelladj faces a theoretical maximum of up to 30 years in prison for conspiracy to commit wire and bank fraud along with fines of up to $14m.

It’s not clear how much any leader of SpyEye would have made from its nefarious activities or how far the FBI have got in tracking down ill-gotten loot connected to sales of the Trojan and botnet herding.

Court papers contain allegations that Bendelladj’s main role in the scam was two-fold: advertising sales of SpyEye licences on underground forums and running botnets of compromised hosts.

Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, while he was in transit from Malaysia to Egypt back in January. In a DoJ statement on Bendelladj’s extradition, FBI officials and prosecutors were both keen to ram home the message that they were keen to haul alleged cybercrooks in for trial wherever they operated from or travelled to across the world.

The indictment charges Bendelladj and his co-conspirators with operating servers designed to control the personal computers of unsuspecting individuals and aggressively marketing their virus to other international cybercriminals intent on stealing sensitive information,” said acting assistant attorney General Raman. “The extradition of Bendelladj to face charges in the United States demonstrates our steadfast determination to bring cybercriminals to justice, no matter where they operate.

FBI Special Agent in Charge Mark Giuliano added: “The FBI has expanded its international partnerships to allow for such extraditions of criminals who know no borders.”

Additional security-related comment on the extradition can be found in a post by Lisa Vaas on Sophos’ Naked Security blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/09/spyeye_suspect_extradited/

Melbourne IT admits hack, says ’twas but a flesh wound

• 
• 
• 

Report says Oz outfit hacked to harm Twitter’s DNS

By Simon Sharwood, APAC Editor • Get more from this author

Posted in Security, 9th May 2013 19:55 GMT

Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement

Australian domain registrar Melbourne IT admits “an unauthorised third party” has attacked the company, but says the incident was minor.

Domain name registrars have been copping it of late, with name.com yesterday forced to reset its customers’ passwords after an attack and Linode taking the same precaution in mid-April.

Online naughtiness perpetration outfit Hack the Planet is thought to have had a hand in name.com’s woes and has claimed responsibility for the latter, and for the attack on Melbourne IT. The page on which it does so is now available only through cache trickery here, but says “Xinnet, MelbourneIT, and Moniker” have all been breached. The page also says a dump of registrar information has been released, but the URL at which the file is supposed to live is gone, as is any cached trace.

Domain Name News reports that Hack the Planet targeted Melbourne IT because it does domain business for Twitter.

Melbourne IT offered The Reg the following statement about the incident:

“Melbourne IT is aware of an incident where an unauthorised third party attempted to access Melbourne IT servers. The attacker managed to gain limited access to a low-level server which hosts content for one of Melbourne IT’s non-retail websites but hosts no customer data nor sensitive company data. Our investigations have found no evidence of any data loss and no evidence of unauthorised access to any other Melbourne IT system.”

®

Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement

• Send corrections
• Be the first to post a comment!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/09/melbourne_it_hacking/

Microsoft has issued a temporary fix for a high-profile Internet Explorer 8 vulnerability. This is the bug linked to recent targeted attacks against web pages accessed by nuclear weapons research teams at the US Department of Labor website.

The Fix It, released late on Wednesday, is designed to offer a temporary block against attacks based on the zero-day vulnerability ahead of a more comprehensive patch.

Applying the Fix will not require a reboot, a important factor in corporate environments. Microsoft is withholding details on what the Fix It actually does – at least until after its security gnomes forge a proper patch.

Redmond recommends that all customers using Internet Explorer 8 apply the stop-gap Fix It. Users of other versions of Internet Explorer are not affected and therefore need not worry.

“We have updated Security Advisory 2847140 with an easy one-click Fix It to help protect Internet Explorer 8 customers,” said Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing in a statement.

“Customers should apply the Fix It or follow the workarounds listed in the advisory to help protect against the known attacks while we continue working on a security update. Internet Explorer 6, 7, 9 and 10 are not affected.”

The Fix It is an easy-to-apply alternative to various workarounds detailed by Microsoft when it admitted there was a serious hole in its browser software late last week. Part of these defences rely on using Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET), which offers added protection against 0-days targeted at browsers on Windows systems that specifically tackle memory corruption-related security bugs.

IE 8 comes pre-installed on Windows 7 systems but users have the straightforward option of upgrading to IE 9 in order to stay out of harm’s way, an option unavailable to laggards running Windows XP boxes.

A blog post by Wolfgang Kande, CTO at cloud security firm Qualys, commenting on the vulnerability and suggested defence tactics can be found here.

Stats from Qualys’s BrowserCheck service suggest that 42 per cent of all systems are running IE 8. If successfully exploited, the 0-day vulnerability (CVE-2013-1347) in IE 8 yields full control of compromised Windows machines, allowing hackers to install malware such as the Poison Ivy Trojan.

The exploit has reared its ugly head on several other websites since its initial discovery on a US Department of Labor website on 1 May. Since then the exploit has also been bundled into Metasploit, the popular open-source penetration testing toolkit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/09/ie8_0day_stop_gap_fix/

Two UK universities are going to split £7.5m in government funding to train the next generation of cybersecurity experts.

The University of Oxford and Royal Holloway University bagged £3.65m and £3.8m respectively to run doctoral courses in computer security from the Engineering and Physical Sciences Research Council and the Department for Business, Innovation and Skills.

Universities minister David Willetts said Blighty had to do everything it could to handle threats to its networks and electronic systems.

“Businesses are facing more cyber-attacks than ever before, putting their confidential information and intellectual property at risk. We must do everything we can to tackle this threat and make them less vulnerable,” he said.

“These new centres will produce a new generation of cyber security specialists, able to use their skills and research expertise to improve cyber security and drive growth.”

The multimillion-pound handouts are part of the National Cybersecurity Programme, and will add PhD places on top of the 30 GCHQ-sponsored slots the scheme already supports.

The UK government has joined the US administration and other nations in classing cyber attacks as a priority for national security, sticking them on the same level of terrorism.

Oxford uni said its programme would include the security of big data, real-time safety, and effective systems verification and assurance.

“The Centre for Doctoral Training (CDT) team will not draw from just the technical perspective, but also disciplines such as social science, business, and strategic studies,” said Dr Andrew Mason, who will run the centre.

“Mixing these with practitioner experiences from business and government, the students will gain a unique insight into the context of their work, and undertake research that makes a real, long-lasting contribution.”

The funding would allow the top uni to offer 12 full scholarships for starting periods of three years, while Royal Holloway said it would have ten PhD scholarships in three annual intakes.

Organisations including IBM, McAfee, Thales and Logica had already agreed to back Royal Holloway’s programme, the university said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/09/uk_unis_cybersecurity_phd_funding/

The Thai Prime Minister’s Office web site is out of action after hackers yesterday defaced the home page with insulting slogans, although the group implicated in the attack says it was framed.

Glamorous Yingluck Shinawatra, the sister of exiled former PM Thaksin Shinawatra, has been a controversial figure in Thailand since she swept to power in 2011.

The site defacement included a picture of her laughing alongside the words “I’m a slutty moron”, and later, “I know that I am the worst Prime Minister ever in Thailand history!!!”, according to The Hacker News.

Responsibility for the hack was claimed by local duo Unlimited Hack Team, however a message on their Facebook page denies all responsibility and claims that rival hackers may be trying to unfairly blame them for the attack.

Google Translate has done its worst to garble the meaning but The Bangkok Post translated the rest as follows:

Every time Unlimited Hack Team hacked a website we’ll come out to claim responsibility. People should wait for police to find the perpetrators and punish them.

The paper also quotes Suranand Vejjajiva, the secretary-general to the PM’s Office, as saying that the culprits will be charged under the country’s controversial Computer Crime Act.

“Hacking a website is easy… but don’t forget that checking who did it is not hard either,” he added.

Human rights activists are increasingly concerned that the 2007 law is being misused under the Shinawatra regime to stifle freedom of speech.

The act penalises any “false computer data” which could cause damage to a third party or national security. However, given Thailand’s strict and somewhat anachronistic lèse majesté law, defaming the monarchy could be viewed as damaging national security.

In a highly celebrated case around a year ago, Thai webmaster Chiranuch Premchaiporn was given an eight month suspended sentence after a defamatory user-generated comment was left on her site for 20 days.

Most recently labour rights activist Somyot Prueksakasemsuk was sentenced to a whopping 11 years in jail in January 2013, after campaigning against lèse majesté and penning articles critical of the monarchy.

NGO Freedom House’s latest Freedom of the Press index rates the country as “Not Free”, putting it in the same boat as repressive regimes such as Ethiopia, China and Iran. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/09/thai_pm_site_defaced/

Opposition leaders and human rights activists have warned that Malaysia’s recent elections were tarnished with widespread web blocking and DDoS attacks designed to deprive voters of information about opposition coalition Pakatan Rakyat (PR) before going to the polls.

Barisan Nasional (BN) extended its 56-year rule by storming to victory on Sunday, winning 133 parliamentary seats out of a total of 222 while PR managed just 89, even though the result was expected to be much tighter.

PR leader Anwar Ibrahim immediately branded the elections a fix, claiming widespread fraud and even that the ruling coalition had flown in tens of thousands of “phantom voters” from Borneo states to help sway the result.

Several independent sources have argued that online censorship was also used to disrupt the opposition’s campaign efforts in the run-up to the elections.

Last week Human Rights Watch revealed that popular online news site Malaysiakini, which is often critical of the government, had been experiencing service outages and technical problems since April 20, and also had its Twitter accounts briefly hacked and taken over.

Earlier, on April 11, London-based Malaysian radio web portals Radio Free Malaysia, Radio Free Sarawak, and Sarawak Report were hit by a large scale DDoS attack which generated over 130 million hits on the sites in three-and-a-half hours, taking them out of action for five days.

Web security firm Sucuri confirmed the DDoS-ing of news sites in a blog post.

“We won’t go into the politics, but one of our client’s sites (a popular Malaysian news source that we won’t name), started to suffer a very large scale DDOS,” wrote malware researcher David Dede.

“Just in the last 24 hrs, 36,367 (yes, 36 thousand different IP addresses) were used to attack this site. It means that the people behind it have good power. What is interesting is that all IP addresses also come from Malaysian IP ranges and it seems to come from compromised desktops.”

The disruption was apparently not confined to DDoS attacks.

Digital rights group Access claimed that certain ISPs were selectively blocking content critical of or embarrassing to the ruling coalition – first entire web sites but then individual pages such as specific YouTube clips or Facebook content.

The group has a detailed summary of its findings here.

It concluded that: “this behavior points to the likely use of DPI or proxy devices at the ISP level, with custom (if poorly) written rules to first trigger off the HTTP path portion of the URL, and subsequently drop packets on the server to user return path.”

Given the allegations it’s perhaps not surprising that pressure group Reporters Without Borders pushed Malaysia down 23 points to 145th on its 2013 World Press Freedom Index – its lowest ever ranking.

The report added:

Despite an all-out battle by rights activists and online media outlets, a campaign of repression by the government, illustrated by the crackdown on the “Bersih 3.0” protest in April, and repeated censorship efforts, continue to undermine basic freedoms, in particular the right to information.

Malaysia was also recently included on the list of countries revealed to have been using the controversial spyware FinFisher, marketed to governments around the world as “lawful interception” software. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/09/malaysia_fraud_elections_ddos_web_blocking/

A mysterious backdoor that has been used to drive traffic to malicious websites may be more widespread than previously thought, security researchers say, and it affects more web servers than just Apache.

The malware – which has been dubbed “Linux/Cdorked.A” or “Darkleech,” depending whom you ask – was first spotted in the wild in late April, when it was thought to have infected hundreds of web sites running on the Apache server.

More recently, however, researchers have also found instances of the Lighttpd and Nginx web server daemons that had been similarly modified to include Cdorked code.

Compromised servers redirect incoming HTTP requests to sites hosting the infamous Blackhole exploit kit but leave no traces in the server logs to alert admins of the malicious activity. All of the data related to the backdoor is held in shared memory and never touches the disk.

Given that Apache, Lighttpd, and Nginx are all open source software, it’s not surprising that the attackers behind Cdorked were able to insert their backdoor code into all three. What is curious, however, is how they managed to smuggle their Trojanized versions onto active servers – not to mention what they hope to achieve by it.

“We still don’t know for sure how this malicious software was deployed on the web servers,” ESET security researchers write in a blog post. “We believe the infection vector is not unique.”

Initially, the researchers had thought that the attackers had managed to inject their malware onto servers by exploiting a vulnerability in cPanel, a remote administration tool that is popular among shared-hosting providers. As more and more compromised servers were discovered, however, researchers realized that only a fraction of them were running cPanel.

“One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software,” the researchers write.

In other words, someone is replacing legitimate web server software with binaries containing the Cdorked backdoor, but exactly how they’re doing it remains a mystery. They may even be using a different technique on each server.

Equally mysterious is just who the intended targets of the attack might be, and why. According to ESET, the Cdorked malware doesn’t just blindly attack every web surfer who comes along. In fact, it operates according to a set of sophisticated yet bewildering rules.

For one thing, Cdorked keeps a list of IP addresses that have already been redirected to the Blackhole exploit, along with time stamps, to avoid redirecting the same user too often (and thus risk being detected).

The malware can also be configured with a whitelist of addresses (or address ranges) to always redirect, as well as a blacklist of addresses to never redirect. These lists can be programmed via a command and control server, again without any suspicious activity showing up in the server logs.

In one instance ESET examined, the lists were propagated with inexplicable patterns. About 50 per cent of all IPv4 addresses were blacklisted, apparently irrespective of their geographic location. At the same time, the exploit was disabled for all users whose browsers were configured to use the Belarusian, Finnish, Japanese, Kazakh, Russian, or Ukranian languages.

The systems targeted by the Cdorked malware were likewise baffling. Only users running Windows XP, Vista, or 7 were served the exploit, even though the latest Blackhole kit works on Windows 8, too. What’s more, only Firefox and Internet Explorer users were attacked; users running Chrome, Opera, Safari, or other browsers were spared.

Even curiouser, a special exception was put in place for iPhone and iPad users. The Cdorked malware redirected their requests, but not to the exploit kit. Instead, they were shown a page advertising pornographic websites.

Despite these seeming incongruities, however, the ESET researchers believe Linux/Cdorked.A is a sophisticated, stealthy attack that has been underway since at least December 2012. They even believe it involves the use of compromised DNS servers to generate its redirects, something they describe as “unusual.”

So far, they say, at least 400 webservers have been found to be infected with the malware, 50 of which were ranked in Alexa’s top 10,000 most popular websites.

To avoid falling victim to the attack, users are advised to make sure that their browsers and plugins are all fully up-to-date – or, where possible, disabled – and to run antivirus software.

Server administrators who want to make sure their systems aren’t compromised can download the latest version of ESET’s detection tool, which has been updated to spot all known variants of the malware affecting Apache, Lighttpd, and Nginx. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/08/cdorked_latest_details/