Linux and BSD Web Servers Infected with ‘Mumblehard’ Malware

Security researchers of security firm ESET say that a malware family nicknamed Mumblehard has been successfully infecting web servers running on both Linux and BSD for over five years.

The malware managed to fly under the radar and imprisoned thousands of Linux machines creating the botnet double in size over a period of six months.

The security firm analyzed the malware and says that there are two components in the family of Mumblehard malware: one that performs spamming and the other which acts as a backdoor. Both of them are in Perl language and contain the same custom packer written in assembly language.

The botnet was monitored which suggests that the main purpose of Mumblehard seems to be spam distribution by hiding behind the reputation of authentic IP addresses of infected machines.

Researchers of ESET could monitor the backdoor component of the Mumblehard malware by registering a domain name employed as one of the command & control servers. While observing the requests coming in, we found over 8,500 unique IPs (Internet Protocol) addresses knocked the sinkhole with behavior akin to Mumblehard. The security firm says that the domain received requests from more than 3,000 unique IPs only in the first week of April.

Interestingly, Mumblehard is also distributed through 'pirated' copies of Linux and BSD program called DirectMailer which is software sold on the Yellsoft website for $240.

Enterpriseinnovation.net published a statement on 30th April, 2015 according to which Marc-Etienne M. Leveille, Lead ESET Security Researcher explained that their investigation showed strong links with a software company known as Yellsoft.

Leveille explained that they have found IP addresses, which are hard-coded in the malware, are closely tied to those of Yellsoft among other discoveries.

The security firm explained that one can find whether a machine is infected or not by looking for unwanted cronjob entries for all users because this method is used by Mumblehard to trigger the backdoor in a 15-minute period.

ESET reminds administrators of web to ensure that web servers operating system and applications are kept updated with patches along with running reputed security software only on one's system.

» SPAMfighter News - 5/6/2015