Malware Targeting Linux-Based Servers Discovered for Sending Spam Messages

Rafia Shaikh

A new research has revealed a family of malware called "Mumblehard" focused on targeting web servers running on Linux and FreeBSD operating systems. Mumblehard Linux malware gives hackers a backdoor allowing them to enter the system and control it, with a second component focused on sending spam messages from the infected servers.

Mumblehard Linux malware identified:

This revelation has been made public by the researchers at ESET who claim that the malware goes back to at least 2009. The team of researchers collected the statistics on the infected servers for over seven months.

What is Mumblehard Linux malware:

Researchers have divided the Mumblehard malware family into two basic components - backdoor and a spamming daemon. Written in Perl, the malware enables attackers to send spam messages by taking a shelter behind legitimate IP addresses of the infected machines, shares Marc-Etienne M.Leveille of ESET.

Leveille further shares the details,

ESET Researchers were able to monitor the Mumblehard backdoor component by registering a domain name used as one of the C&C servers. More than 8,500 unique IP addresses hit the sinkhole with Mumblehard behavior while we were observing the requests coming in. 

[...] during the first week of April, more than 3,000 machines were affected by Mumblehard. The number of infected hosts is slowly decreasing, but the overall view shows that infection happens at specific times and that the botnet size has doubled over a 6-month period.

Who is responsible...

The research revealed that a company called Yellsoft has possible links to this spam campaign. Yellsoft sells DirectMailer software for sending bulk email messages. The analysis showed that the IP addresses used for backdoor and spamming bots were located in the same range as the web server that hosts Yellsoft confirming the link.

Another link was found with the pirated copies of DirectMailer available online which installs the Mumblehard Linux backdoor when they run.

How to prevent it?

ESET research team shares how to prevent Mumblehard Linux malware from infecting your web servers:

Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes. The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.

To download the white paper, please visit ESET.

Share this story

Deal of the Day