A new family of malware, dubbed “Mumblehard” by security researchers, has been successfully infecting web servers running on Linux and BSD for more than five years.
Despite being uploaded to VirusTotal in 2009, the malware has gone largely undetected since and, over the last six months alone, has doubled in size, leading to a botnet capable of blasting out a huge amount of spam email.
Researchers from antivirus company ESET first became aware of Mumblehard after a systems administrator requested help after discovering one of their servers had been blacklisted for sending spam.
Since then, ESET has monitored the botnet for several months, discovering its command and control mechanism as well as 8,867 unique IP addresses connected to it, 3,000 of which were added in the last three weeks alone.
They also discovered that Mumblehard possesses two key components – one that is responsible for the spam operation, and another which acts as a backdoor. Both components were found to have been written using Perl and contain the same custom packer written in assembly language.
In a 23-page report issued by ESET, the researchers wrote:
“Malware targeting Linux and BSD servers is becoming more and more complex. The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption.”
Further investigation into Mumblehard appears to link it to Yellsoft, a company selling DirectMailer, an automated email distribution system that allows user to send messages anonymously.
DirectMailer, which is also written in Perl and runs on UNIX-type systems, is available for $240, though it is interesting to note that the developers actually link to a site offering a cracked copy of the software. As if this isn’t shady enough, they also note that they are unable to provide any technical support for pirated versions of the software.
Lo and behold, the ESET researchers subsequently discovered that the cracked copy of the software contains the Mumblehard backdoor, meaning that once it is installed, the operator of the botnet can then send spam and proxy traffic through the infected device. Whether or not the official version of DirectMailer contains the malware is not known.
The researchers are continuing to analyse how Mumblehard installs itself on a system and currently believe that, beyond the pirated DirectMailer software, systems may also be at risk if running a vulnerable version of the Joomla or WordPress content management systems.
Therefore, ESET’s advice to systems administrators is obvious – keep operating systems and applications fully updated with patches and be sure to run security software provided by a reputable vendor.
Administrators can also look out for unexplained cron jobs running on servers – Mumblehard uses them to dial home to its command and control servers exactly every 15 minutes.
Also, the backdoor is typically found within the /tmp or /var/tmp folders and can be nullified by mounting those directories with the noexec flag.