ESET researchers uncovered a family of Linux malware named Linux/Mumblehard that stayed under the radar for more than 5 years, targeting mainly web servers.
There are two components in the Mumblehard malware family: a backdoor and a spamming daemon, both written in Perl and feature the same custom packer written in assembly language as to obfuscate the Perl source code, which shows a level of sophistication higher than average. ESET Researchers were able to monitor the Mumblehard backdoor component by registering a domain name used as one of the C&C servers. More than 8,500 unique IP addresses hit the sinkhole with Mumblehard behaviour while ESET were observing the requests coming in.
Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes. The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.
More info and graphics at ESET Ireland’s blog.