Researchers have revealed a family of Linux malware that stayed under the radar for more than five years. The malware, which ESET have named Linux/Mumblehard is targeting servers running Linux and BSD systems.
The primary purpose of this malware is to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines. “We were able to identify victimised system and began the process of notifying its owners,” said Lead ESET security researcher Marc-Etienne M. Léveillé. “Now that the technical details about the threat are public, it will be easier for the victims to understand what they face and clean their servers.”
ESET identified over 8500 unique IP addresses affected by Mumblehard during the 7 month research period. ESET say that the malware is made up of two different components. Exploiting vulnerabilities in Joomla and WordPress, the first component is a generic backdoor that requests commands from its Command and Control server. The second component is a full-featured spammer daemon that is launched via a command received by the backdoor.
Mumblehard is also distributed via ‘pirated’ copies of a Linux and BSD program known as DirectMailer, software sold on website Yellsoft for $240. “Our investigation showed strong links with a software company called Yellsoft,” explained Léveillé. “The first link between them is that the IP addresses used as C&C servers for both the backdoor and spamming components are located in the same range as the web server hosting yellsoft.net. The second link is that we have found pirated copies of DirectMailer online that actually silently install the Mumblehard backdoor when run. The pirated copies were also obfuscated by the same packer used by Mumblehard’s malicious components.” explained Léveillé.
ESET advises victims to ‘look for unsolicited cronjob entries for all the users on their servers.’ The full whitepaper can be downloaded here.