Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spam-blasting malware infects thousands of Linux and FreeBSD servers


  • Please log in to reply
8 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,793 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:11 PM

Posted 30 April 2015 - 05:47 PM

 

Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam, researchers said Wednesday. The malware likely infected many more machines during the five years it's known to have existed.

Most of the machines infected by the so-called Mumblehard malware are believed to run websites, according to the 23-page report issued by researchers from antivirus provider Eset. During the seven months that they monitored one of its command and control channels, 8,867 unique IP addresses connected to it, with 3,000 of them joining in the past three weeks. The discovery is reminiscent of Windigo, a separate spam botnet made up of 10,000 Linux servers that Eset discovered 14 months ago.

The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail. These two main components are written in Perl and they're obfuscated inside a custom "packer" that's written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that's arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.

More and more complex

"Malware targeting Linux and BSD servers is becoming more and more complex," researchers from Eset wrote. "The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption."

The researchers uncovered evidence that Mumblehard may have links to Yellsoft, a company that sells DirecMailer, which is Perl-based software for sending bulk e-mail. The block of IP addresses for both Yellsoft and some of the Mumblehard C&C servers share the same range. What's more, pirated copies of DirecMailer silently install the Mumblehard backdoor. The pirated copies are also obfuscated by the same packer used by Mumblehard's malicious components.

Eset researchers discovered Mumblehard after being contacted by a system administrator who sought assistance for a server that was added to public security blacklists for sending spam. The researchers identified and analyzed a process that was causing the server to connect to different SMTP servers and send spam. The researchers then linked the behavior to an executable file located in the server's /tmp directory.

A version of the Mumblehard spam component was uploaded to the VirusTotal online malware checking service in 2009, an indication that the spammer program has existed for more than five years. The researchers were able to monitor the botnet by registering one of the domain names that Mumblehard-infected machines query every 15 minutes.

The Eset researchers still aren't certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program. The almost 9,000 IP addresses Eset observed can't be directly correlated to the number of machines that were infected by Mumblehard, since in some cases more than one server may share an address and in other cases a single server may give up an old address and take up a new one. Still, the number is a strong indication that several thousand machines were affected during the seven months Eset monitored the malware.

Administrators who want to check their servers for Mumblehard infections should look for unexplained daemons. These so-called cronjobs added by the malware activate the backdoor and cause it to query C&C servers four times per hour in precise, 15-minute increments. The backdoor is usually located in the /tmp or /var/tmp folders. The backdoor can be deactivated by mounting the directories with the noexec option.

Spam-blasting malware infects thousands of Linux and FreeBSD servers

.



BC AdBot (Login to Remove)

 


m

#2 paul88ks

paul88ks

  • Members
  • 1,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas,Texas
  • Local time:08:11 PM

Posted 30 April 2015 - 10:21 PM

That is a little un-nerving ! Should I be concerned with my Linux installs? I thought Linux didn't need an anti-virus program- at least a private user anyway---



#3 mremski

mremski

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:09:11 PM

Posted 01 May 2015 - 06:46 AM

If you read the paper, infection vectors are related to Joomla, Wordpress and a program sold by YellSoft.  If you are doing any of those and exposing your systems as servers, then you may be concerned.  Read the paper, it's only 23 pages has good information.  Prevents are fairly easy it looks, mount noexec on a couple directories, look for traffic going to specific IPs (yes these could change, but firewall and block a range of IPs should help).

 

If your systems are basically client systems and you are not serving up any publicly accessible things,  you're probablily of infection is probably low.  If one reads and understands these things, on the *nix systems, applications are a primary route for compromise, so keep up on security announcements for applications that you use.

 

But this is a good lesson on:

"No matter what OS and applications you run, server or home user, pay attention to security announcements.  Just like defense of yourself and your family is your responsibility, security of your computer assests is primarily up to you".

 

Anit-virus, malware, anti-rootkit, etc software are just tools in your box to use.  The bulk of infections are caused by human behavior (blindly clicking "OK",  allowing embedded links in email to "show", etc).

 

"Default Deny"  Say it to yourself a number of times, embrace the concept.  It works for firewalls, applications, users, everything (even your kids asking for money).

 

Oh, for some good information, google up "Marcus Ranum Six Dumbest Ideas in Computer Security".  Written a while ago, but still valid today.

 

These are my opinions, feel free to ignore, think about, tell me I'm full of it.  You get what you pay for :)


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#4 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,793 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:11 PM

Posted 01 May 2015 - 08:50 AM

 

You get what you pay for

You get paid?



#5 mremski

mremski

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:09:11 PM

Posted 01 May 2015 - 08:55 AM

 

 

You get what you pay for

You get paid?

 

Yes, in peanut butter cookies (normal salary).  Bonuses are in cannoli.

 

Rereading the paper;  pretty clever.  I often wonder "what if these people actually put their talents towards developing something non-criminal"?


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#6 shadow-warrior

shadow-warrior

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nicaragua
  • Local time:08:11 PM

Posted 01 May 2015 - 09:13 AM

I have always thought that AV companies develop all the Malware.....then they can be the one who discovers and rids the world of the threat....which means more money from big corperations.....

 

I don't know how many years we have been getting dodgy e-mails. i remeber having to rid my Win95 of a KAK worm i got from a e-mail apparenly from a girl called Nicola Lyndsey.who needed help setting up her Outlook account......the fact i didnt know her, didn't stop me clicking it...

 

I think every server in the public domain is probably spewing some garbage (dread to think what widows servers have) ..and like this latest one it has been around for 5yrs or maybe more...



#7 rp88

rp88

  • Members
  • 2,901 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:11 AM

Posted 01 May 2015 - 01:30 PM

Regarding post #3: "You get what you pay for"
Just to throw in an opinion, the best two pieces of software I ever downloaded were free ones (blender 2.65 and sketchup 8). To add another opinion, I've never had any security problems in the last few years, for the entirety of which I've only used free tools for security. Although your statement might apply in the cases of high and low price products, free products can in many cases circumvent that observation entirely.

Edited by rp88, 01 May 2015 - 01:30 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#8 mremski

mremski

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:09:11 PM

Posted 01 May 2015 - 04:06 PM

Sorry, the "get what you pay for" was meant to be applied to my opinions, not any piece of software.    I guess I wasn't clear enough on the context.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#9 paul88ks

paul88ks

  • Members
  • 1,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas,Texas
  • Local time:08:11 PM

Posted 01 May 2015 - 09:46 PM

No servers here- and the only News I watch online is CNN! So I have my UFW enabled-should be ok!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users