In recent years, exploit packs have become an increasingly popular tool for the distribution of malware. An advantage of those packs is that it does not require cooperation on the part of the user which has the potential to be far more effective than traditional social-engineering methods. However, cybercriminals need to bring visitors to those exploit packs. Some groups rely on spam messages to drive traffic while others rely on paid advertising, a practice sometimes referred to as malvertising.
A third method aims to reach users by compromising the websites they visit. With the discovery of Darkleech and CDorked, it has become apparent that malicious modifications to web servers running on Linux are now used for mass malware distribution. In this presentation we will describe 2 campaigns using these malwares: The Home campaign and the CDorked campaign.
We will describe our own experience in tracking those 2 campaigns, what worked well, the shortcomings we faced and the steps we took to mitigate these threats. Finally, we will consider what it implies for monitoring efforts suggest methods to make them more effective.