Thousands of machines have been infected

Apr 29, 2015 15:43 GMT  ·  By

A malware family dubbed Mumblehard by security researchers has been successfully targeting web servers running on both Linux and BSD for more than five years with the purpose of abusing them for sending out spam messages.

The malware managed to fly under the radar and enslaved thousands of Linux machines, the botnet doubling in size over an observed period of six months.

Malware used for delivering spam

ESET was able to register one of the domains used by the botnet as a command and control (C&C) server and sinkholed the connections from compromised systems.

According to their analysis, Mumblehard has two components, one providing backdoor access to the infected machine and the other intended for sending spam.

“They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average,” wrote Marc-Etienne M.Léveillé in a recent blog post.

He says that the malware also has generic proxy capabilities, which are used to communicate only with the C&C server on the listening socket. Multiple hosts can be added to a whitelist.

Pirated version of Yellsoft's DirectMailer used to infect web servers

Telemetry data from ESET shows that the sinkhole they set up was accessed by more than 8,500 unique IP addresses. Only in the first week of April the domain received requests from over 3,000 unique IPs.

Following an analysis of the malware, the researchers were able to spot a link with DirectMailer, a program developed by Yellsoft for mass mail delivery purposes.

One of the clues in support of this is that the IPs for the C&C servers were in the same range as the web server hosting Yellsoft’s website. The other is that cracked versions of DirectMailer that install Mumblehard have been found online.

During seven months of observed activity, the researchers’ sinkhole saw connections from 8,867 unique addresses, and the highest number seen in a single day was 3,292. Mumblehard has been active since at least 2009, Léveillé says.

Finding if a machine is infected or not can be done by looking for unsolicited cronjob entries for all the users, since this method is used by Mumblehard to activate the backdoor every 15 minutes.

Number of infected machines connecting to ESET's sinkhole
Number of infected machines connecting to ESET's sinkhole

Photo Gallery (2 Images)

Overview of Mumblehard communication with C&C
Number of infected machines connecting to ESET's sinkhole
Open gallery