‘Mayhem’ Proliferates through Web-Servers FreeBSD, Linux, State Experts
Security researchers have spotted one new malware that is named "Mayhem" as it proliferates through FreeBSD and Linux Web-servers, published theregister.co.uk dated July 18, 2014.
Security researchers Evgeny Sidorov, Konstantin Otrashkevich and Andrew Kovalev from Yandex, an Internet company in Russia, conducted a study of both the CnC (command-and-control) and client-side servers of Mayhem followed with writing a paper for Virus Bulletin.
According to them, a partial assessment of Mayhem that MalwareMustDie research team published during May 2014 reveals that the malware has various functions which are of one conventional bot for Windows; however, it's capable of operating even when rights to systems are restricted. Securityweek.com published this, July 18, 2014.
The researchers explain that Mayhem gets spread in the form of PHP script that became detectable during mid-June by just 3 AV solutions on VirusTotal. Once on any PC, the threat starts interacting with its CnC server through responses and requests pertaining to HTTP POST.
In all, the researchers identified 7 CnC commands. Among the functions Mayhem performs are included informing about its successful installation onto the target PC to the server; requesting for files; transmitting data; as well as reporting about its condition. Conversely, the CnC instructs the bot to execute any fresh task, halt an ongoing one, transmit data, or plant plug-ins, the researchers disclose.
Also, being Modular, it's possible to expand Mayhem's functions via plug-ins; right now, researchers have uncovered eight -these include deciphering passwords of users surfing on Joomla or WordPress, through brute-force method; crawling websites for gathering information; locating certain RFI (remote file inclusion) security flaw as well as detailing Web-surfers of WordPress sites.
An assessment of the CnC servers regulating the botnet, aided the team effectively unearth certain statistical figures from two that in all regulated 1,400 contaminated servers.
Apparently, the countries having most infections comprise Canada, USA, Germany and Russia.
Mayhem peddlers haven't enabled the key computers' complete utilities, as they harbor other malicious elements too which hadn't gotten served to the infection spreading bots.
Technically, the researchers have discovered one plug-in, which abuses 'Heartbleed' one lately-spotted flaw, while garners data stored on attack-prone servers.
» SPAMfighter News - 7/28/2014