Malware Mumblehard

Spam-blasting malware infects thousands of Linux and FreeBSD servers.

– Ars Technica, Apr 30, 2015.

Mumblehard Malware: Linux-Based Spam Generator Went Unnoticed for Five Years.

– Security Intelligence, May 5, 2015.

One of the longest living email-spam botnets is dead.  

– The daily dot, Apr 7, 2016.

Why is this malware so hyped? What is Mumblehard?

Mumblehard, is a sophisticated malware that affected a huge number of Linux and FreeBSD operating systems and is now said to be completely eradicated from the cyberspace and hence back in the news. It is said that the malware remained undetected for almost 5 years. Mumblehard malware was used as a bot for sending spam emails. Approximately 40,000 systems were infected and a large number of bots were created out of these vulnerable machines, all of which remained undetected for such long time.

Targeting Linux

Linux systems are said to better in security and reliability as compared to other operating systems. In spite of having better features it was compromised. Mumblehard was a topic of concern. It also proved, there is no such thing as an unbreakable system.

ESET (an IT security company) first discovered Mumblehard when a system administrator had contacted them for assistance with a server (legitimate) that was blacklisted for sending spam. The first sample of Mumblehard spammer component was submitted to VirusTotal in 2009 and was analyzed during the same period by ESET. Though it was first examined in 2009, there are chances that malware could have existed before that as well but not detected given its nature of stealth.

It appears that the creators of malware intended to use infected systems for sending spam emails all over the internet causing denial of service. The vulnerability that was exploited was that of open source kernel in Linux/BSD distributions. It is said, if the systems were patched the compromise could have been avoided.

Attack Vectors

  1. Publicly available exploits – The most popular vector seems to be the use of Joomla and WordPress exploits as per the research by ESET. These exploits targeted the open source kernel in Linux/BSD distributions. After compromising the systems, a backdoor was installed and using this entry point the attackers infected the machines and made them act as a spam generating bot. The botnets received commands from a C & C server.
  1. DirectMailer – Pirated copies of DirectMailer were used to install the Mumblehard backdoor that allowed the operators to install malware. DirectMailer was produced by company Yellsoft.

Malware Analysis

Two different malware components were analyzed. One of them was a backdoor which when installed in the system was having communications with the C & C server for commands. The backdoor was usually located in the /tmp or /var/tmp folders of Linux/BSD systems. The C & C server did not always give commands. There were times when no activity was noticed and the bots remained neutral, thus making it highly stealthy.

The other component was a spammer daemon which facilitated spam generation in infected systems.

Perl scripts embedded in Assembly packer

A technical documentation by Marc-Etienne M.Léveillé, again from ESET, suggests that Mumblehard components are mainly Perl scripts. Both the components discovered and mentioned above are written in Perl. These scripts are encrypted and packed inside ELF binaries. The ELF binary packer is written in assembly language and worked well on both Linux and BSD systems.

Yellsoft

While analyses on Mumblehard were going on, IP addresses of its C & C servers were found. These IP’s led the investigation team to Yellsoft. It was found that the C & C server was hosted on Yellsoft’s web server. Later it was concluded that one of the attack vector for the spread of malware was via the distribution of backdoored “pirated” copies of a Linux and BSD program known as DirectMailer, software that Yellsoft sells on their website.

Is Mumblehard an APT?

Given the highly stealthy and persistent nature of Mumblehard we can conclude that it is an APT.

Is spamming the only goal of this group?

Mumblehard was created with a goal of spamming internet by sending a large number of emails. As per news on The Digital dots, the hackers behind Mumblehard had 150 gigabytes of emails, for the purpose of spams.

Thousands of machines were infected by the malware. Email spamming resulted in Denial of service attacks as Mumblehard consumed high bandwidth and often blacklisted victims IP addresses so that they were devoid of sending legitimate emails anywhere on the internet.

It is not yet clear if the attackers had intended to steal data or misuse the data.

Shutting down the Malware

The cybercriminals behind Mumblehard were forced to shut it down after being exposed and the IP addresses that were included in the malware, from the list of C&C servers, were removed. Mumblehard is completely eradicated.

Will Mumblehard be back or not is something we cannot comment on. What is important is the fact that such a stealthy malware existed for years, undetected. Taking inspiration from this, cybercriminals may come back with stealthier and sophisticated malware, if not the same. Awareness is the best defense.

References –

Helpnet security. https://www.helpnetsecurity.com/2015/05/01/unnoticed-for-years-malware-turned-linux-and-bsd-servers-into-spamming-machines/

The daily dot. http://www.dailydot.com/politics/eset-mumblehard-malware/

We Live Security. http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf

Author


Leave a Reply

Your email address will not be published. Required fields are marked *