Sometimes it feels there’s no stopping the Online malware onslaught. It has now come to light that 100s of computers running the Linux & FreeBSD operating systems may have been infected over 5 years with malware that surreptitiously made them part of a network sending out spam.
Anti-virus firm ESET released a paper earlier this week on the malware, which is suspected to have infected over the 5 years it’s known to have existed. Said the Slovakia based IT security company ESET: Linux/Mumblehard is a family of malware targeting servers running both the Linux & BSD operating systems. A Mumblehard infected server opens a backdoor for the cybercriminals that allows them full control of the system by running arbitrary code. It also has a general purpose-proxy and a module for sending spam messages. Mumblehard components are mainly Perl scripts encrypted and packed inside ELF binaries.
ESET researchers were able to “sinkhole the backdoor module of Mumblehard” & collect statistics on the infected servers, which allowed them to count the population of infected hosts, determine who the victims were & work with 3rd parties to notify them.
Researchers had discovered Linux/Mumblehard when a system administrator had contacted ESET for assistance with a server that was blacklisted for sending spam. “We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat. Our investigation showed that this group or individual has strong links with a software company called “Yellsoft”. The first sample of the Mumblehard spammer component we were able to find was submitted to VirusTotal in 2009. Yellsoft is active since 2004. It is unclear if they were involvedin malicious activities between 2004 and 2009.
Based on the server where we made the discovery and the list of systems we have identified as infected, there are two plausible infection vectors used to spread Mumblehard.”
The most popular vector seems to be the use of Joomla & WordPress exploits. The other is through the distribution of backdoored “pirated” copies of a Linux & BSD program known as DirectMailer, a software. The pirated copies actually install the Mumblehard backdoor that allows the operators to install additional malware, claimed the white paper.