Security News

Mumblehard Botnet That Targeted Linux Systems Has Been Shut Down

April 11, 2016

mumblehard-botnetMumblehard, a botnet that targets servers running Linux has been shut down a year after it was first discovered. According to IT security company ESET, “With only one IP address acting the command and control (C&C) server for the Mumblehard backdoor and no fallback mechanism, a takeover of that IP address would suffice to stop the malicious activities of this botnet”. The malware has infected over 4,000 Linux machines but has likely affected more machines during the five years it’s known to have existed.

Mumblehard is the brainchild of experienced and highly-skilled developers, which includes two main components—a backdoor and a spam daemon (a program that runs in the background and sends large batches of junk mail). They are written in Perl, a programming language that can be used for a large variety of tasks, and are obfuscated inside a custom “packet” that made it run. The command servers that coordinated the compromised machines operations could also send messages to Spamhaus, which employs real-time composite blocking list (CBL) maintained by the anti-spam service. It then requests the delisting of any Mumblehard-based IP addresses. The result is a stealthy infection that makes these components part of a renegade network blasting the internet with spam and may serve other nefarious purposes.

[READ: Are security threats to Linux on the rise?]

The company collaborated with Estonian law enforcement to shut down the botnet. In February 2016, they took hold of the IP address belonging to the command server, making it possible to “sinkhole” the botnet. After querying the attacker’s control server, they found the infected machines connected to benign machines run by the takedown group.

As of late, it is still unclear how Mumblehard was able to take hold of its victims. However, it was initially suspected that the malware exploited vulnerabilities in content management systems like WordPress, and other plug-ins associated with them—but this theory remains inconclusive. The number of infected machines are reportedly dropping as compromised systems are sanitized.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Connect with us on