not apache module
"she noticed two modules - one called mod_bwlimited and the other enable_dl - in the Apache webserver that were responsible for transmitting the randomized malware onto end users' machines"
enable_dl doesn't seem to be an apache module - rather a configuration setting in php (deprecated in php5). See here http://uk2.php.net/manual/en/ref.info.php#ini.enable-dl. It allows dynamic loading of php modules in apache servers.
if these TWO settings are always associated with compromised servers then it suggests that php is involved in the compromise