Peter G (sinetimore) wrote,
Peter G

APB: Linux Malware Alert

A shoutout to my homies running Linux servers -- there's a new malware family that targets Linux and BSD servers, and it's working.  (Note:  there is a version of this for Windoze as well, but we Linux nuts love to brag how secure we are, so we have to keep from getting lazy.)

Eset has reported on the existence of "Mumblehard," which installs a backdoor and spamming daemon on the server.  Mumblehard itself is written in Perl, but it is hidden in an ELF (executable and linkable format).  ELF binaries are written in assembly.  That means whoever created this is very very good at what they do.

Who's responsible?  Potentially, YellSoft, a Russian online company that makes and sells DirectMailer, a spamware software package (a.k.a. DarkMailer) that lists for $240 US.  Infections are linked to cracked versions of the software, and at the moment, it is sending out pharmaceutical spam.  (Infection is also traced to Joomla and Wordpress exploits, so keep that in mind if you are hunting.)  Particularly vulnerable are web servers that run Perl scripts (Win, Unix, Linux, and BSD) and lets users, customers, and admins change their web pages.

What does it do?  The Perl backdoor installs in crontab, contacts C&C servers for commands every fifteen minutes, and reports back whether it was successful or not.  The backdoor is a single command, "download from URL and execute."  There are 10 C&C servers on the list, but only one is actually sending commands, the others might just be blinds.

How long has this been going on?  This exploit actually has been out there for about five years now, but it's only now starting to be utilized.  The size of the botnet has doubled in the past six months.  Eset has a sinkhole that recorded over 8,800 unique IP addresses, with 3,300 hitting in one day.  The number of infected hosts is going down, but infections occur at specific times, so it could just seem like fewer.

How do you know if you have it?  On Linux or Unix, just do a process status and you'll see it.  Also check for unsolicitied cronjob entries from all users on the server.

What can you do if you have it?  The simplest way is for the admin to encrypt their data.  The backdoor usually goes in /tmp or /var/tmp, so if you mount the tmp directory with "noexec," the backdoor won't execute.  You can also whitebox it to prevent it from elevating its permissions and running discovery -- even if it finds information, it is returned as ciphertext, which is useless to crackers.

So stay frosty and do that process status.
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded