Wednesday, 6 May 2015

Linux Malware: Spam from your servers

ESET researchers uncovered a family of Linux malware named Linux/Mumblehard that stayed under the radar for more than 5 years, targeting mainly web servers.

Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines. During the first week of April, more than 3,000 machines were affected by Mumblehard. The number of infected hosts is slowly decreasing, but the overall view shows that infection happens at specific times and that the botnet size has doubled over a 6-month period.

There are two components in the Mumblehard malware family: a backdoor and a spamming daemon, both written in Perl and feature the same custom packer written in assembly language as to obfuscate the Perl source code, which shows a level of sophistication higher than average. ESET Researchers were able to monitor the Mumblehard backdoor component by registering a domain name used as one of the C&C servers. More than 8,500 unique IP addresses hit the sinkhole with Mumblehard behaviour while ESET were observing the requests coming in.

Prevention

Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes. The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.

More info and graphics at ESET Ireland’s blog.