Published in News

Linux malware went un-noticed for years

by on04 May 2015

Yet it was supposed to be so safe

For at least five years, and probably longer, Linux and BSD servers have been used as spam machines thanks to a backdoor cased by a security flaw.
ESET researchers have found that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out spam.


The spammers were careful. They didn't constantly infect new machines, and did not insist that the infected machines blasted out spam all the time. In short they operated under the radar.

ESET discovered the malware on a server that was blacklisted for sending spam. They dubbed it Mumblehard. After analyzing it, they found that it has several distinct components: a generic backdoor that contacts its C&C server and downloads the spammer component and a general purpose-proxy.

Mumblehard components were mainly Perl scripts encrypted and packed inside ELF binaries. The Perl scripts used by the cybercriminals were packed inside ELF executables which is uncommon and more complex than the average server threat."

The weakness in the software was that the backdoor always and repeatedly tries to contact all of the 10 C&C domains listed in its configuration file. ESET took control of one of them (its registration had expired), which allowed them to monitor the activity of the infected hosts between September 19th 2014 and April 22nd 2015.

The number of infected hosts slowly decreased but it increases from time to time. The operators are initiating discrete waves of server infection rather than spreading in a continuous fashion.

The addresses of the C&C servers hardcoded in the Mumblehard samples what led the researchers to Yellsoft.

DirectMailer is written in Perl and runs on UNIX-type systems which was pretty much like Mumblehard. The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.

But what is worrying is that Mumblehard operators have been active for many years without disruption.

Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits, and have urged administrators to check whether their servers have been hit:

Rate this item
(15 votes)

Read more about: