Malware infects thousands of Linux and FreeBSD servers

[GoodBytes]

Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past 7 months with a sophisticated malware, called Mumblehard, that has large impact on them. It turns the server in making them part of a mass network which blasts the Internet with spam. More server might have been infected, as it the malware existed since 5 years ago.

 

Most of the machines infected by the so-called Mumblehard malware are believed to run websites, according to the 23-page report issued by researchers from antivirus provider Eset. During the seven months that they monitored one of its command and control channels, 8,867 unique IP addresses connected to it, with 3,000 of them joining in the past three weeks. The discovery is reminiscent of Windigo, a separate spam botnet made up of 10,000 Linux servers that Eset discovered 14 months ago.

The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail. These two main components are written in Perl and they're obfuscated inside a custom "packer" that's written in assembly, an extremely low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that's arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.

"Malware targeting Linux and BSD servers is becoming more and more complex", researchers from Eset says.

The worst, is that Eset doesn't know how the malware is installed on the server to know how to prevent it from infecting other servers.

 

"Malware targeting Linux and BSD servers is becoming more and more complex," researchers from Eset wrote. "The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption."

The researchers uncovered evidence that Mumblehard may have links to Yellsoft, a company that sells DirecMailer, which is Perl-based software for sending bulk e-mail. The block of IP addresses for both Yellsoft and some of the Mumblehard C&C servers share the same range. What's more, pirated copies of DirecMailer silently install the Mumblehard backdoor. The pirated copies are also obfuscated by the same packer used by Mumblehard's malicious components.

Eset researchers discovered Mumblehard after being contacted by a system administrator who sought assistance for a server that was added to public security blacklists for sending spam. The researchers identified and analyzed a process that was causing the server to connect to different SMTP servers and send spam. The researchers then linked the behavior to an executable file located in the server's /tmp directory.

A version of the Mumblehard spam component was uploaded to the VirusTotal online malware checking service in 2009, an indication the spammer program has existed for more than five years. The researchers were able to monitor the botnet by registering one of the domain names Mumblehard-infected machines query every 15 minutes.

Eset still isn't certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program. The almost 9,000 IP addresses Eset observed can't be directly correlated to the number of machines that were infected by Mumblehard, since in some cases more than one server may share an address and, in other cases, a single server may give up an old address and take up a new one. Still, the number is a strong indication that several thousand machines were affected during the seven months Eset monitored the malware.

Eset recommends to check for unexpected daemons running on the server.

Source: http://arstechnica.com/security/2015/04/30/spam-blasting-malware-infects-thousands-of-linux-and-freebsd-servers/

[Aytex]

Gaben strkes back

[The Benjamins]

My VPS got infected with something and has been off for a week. been to lazy to turn it on back it up then wipe it to do a fresh install.

[SImoHayha]

HAHAHAHA LINUX IS NOT UNSTOPPABLE

[Sidiox]

HAHAHAHA LINUX IS NOT UNSTOPPABLE

it's still unstoppable, it's just not invincible

[dfsdfgfkjsefoiqzemnd]

HAHAHAHA LINUX IS NOT UNSTOPPABLE

 

You do realize that Linux is number one EVERYWHERE apart from the desktop, right?   The world doesn't run on Windows, it runs on Linux.

 

This is bad really. 

[TooManyErrors]

Inb4 this thread descends into Windows vs. Linux.

[Trik'Stari]

HAHAHAHA LINUX IS NOT UNSTOPPABLE

Say that when linux gets shutdown, and the internet crashes and we can't get our porn.

 

Oh wait, you wouldn't even be able to say that if not for linux.

[othertomperson]

HAHAHAHA LINUX IS NOT UNSTOPPABLE

 

"Linux affected by malware" is news. "Windows affected by malware" is the status quo.

[kainobean]

so is my pfsense box safe? or should i start monitoring it very closly? and if so what exactly should i be looking for? right now my logs dont show anything odd happeneing other than a failed connection reset by peer error that happens form time to time.

[mr moose]

You do realize that Linux is number one EVERYWHERE apart from the desktop, right?   The world doesn't run on Windows, it runs on Linux.

 

This is bad really. 

In 2014

 

Windows has 1/3rd web server share, 91% desktop share, and last I looked more than 50% corporate server share.  It's more accurate the to say the world runs on windows, but the internet runs mostly on linux.

 

http://en.wikipedia.org/wiki/Usage_share_of_operating_systems

 

Many people quote this when trying argue the opposite, I don't know why as it doesn't really quantify anything:

http://en.wikipedia.org/wiki/List_of_Linux_adopters

 

 

with regard to this malware, is this discovery going to have an impact on the amount of spam we get, or in the grander scheme of things is this just a drop in the ocean for spam sources?

[GoodBytes]

with regard to this malware, is this discovery going to have an impact on the amount of spam we get, or in the grander scheme of things is this just a drop in the ocean for spam sources?

I don't know, but the problem is that it is spreading, and so far, they don't know how, let alone how it takes over the server (as one would assume that the servers aren't running as root - hopefully), so it is difficult to find a fix for, beside: "Hey guys, every once and a while, can you please check your daemons for something fishy? It could be that. Thanks".

I am sure many of the infected severs are fixed, by why it has been 5 years, and still spreading around.

[Misanthrope]

This will be a true test of an open source model since in theory it should be much easier for everyone to collaborate and patch it. Definitely worth keeping an eye on this and see how things develop.

[PortentousLad]

Several thousand? That doesn't sound very bad, considering how many million servers are running Linux based OS'

 

"Linux affected malware" is news. "Windows affected by malware" is the status quo.

 

Yeah... well said mister.

[TAK]

.

[Beskamir]

so is my pfsense box safe? or should i start monitoring it very closly? and if so what exactly should i be looking for? right now my logs dont show anything odd happeneing other than a failed connection reset by peer error that happens form time to time.

I too would like to know if my pfsense router and/or my freenas server are safe. If anyone knows what I should be looking for tag me in your response.

[Nowak]

My router runs on a proprietary Linux-based operating system, I hope it's safe.

[TAK]

.

[spartaman64]

My router runs on a proprietary Linux-based operating system, I hope it's safe.

proprietary linux?

[mr moose]

Oh noes, the sky is falling...

Maybe you all need to read the damn article and THEN comment.

 

EDIT:

In fact, since you most likely won't be reading it, let me quote someone from the Ars comment section:

 

 

Not that I know much about this, which is why I read the article and not the comments, but it looks like that poster got a lot of down votes for that comment.

[Nowak]

proprietary linux?

It's based on Linux, but you can't download source code for it afaik.

[TAK]

.

[mr moose]

Yeah, that's why I don't bother with Ars, it's almost like I couldn't be arsed.

EDIT: In any case, 8 down votes is nothing on Ars, it's par for the course really. Imagine that scene in 2001 but replace "stars" with "Apple fanboys and stupid Windows monkeys" and you kinda get the idea why their comment section is pretty fucking worthless. I took that quote cos it happens to sum up the stupidly overblown clickbait headline.

EDIT2: I'm on Windows currently myself, just full disclosure.

 

It's a good thing I am a critical thinker and won't pass judgment until I see more evidence for or against then.

[Misanthrope]

It's based on Linux, but you can't download source code for it afaik.

 

Then it is not based on "Linux" it might have elements of it but not the kernel since you can't close it under GPLv3

[TAK]

.