Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Authorities Disrupt Mumblehard Linux Botnet

Mumblehard, a botnet comprised of servers running Linux and FreeBSD operating systems, was taken down on February 29, 2016, as part of a cooperation between ESET, the Cyber Police of Ukraine, and CyS Centrum LLC.

Mumblehard, a botnet comprised of servers running Linux and FreeBSD operating systems, was taken down on February 29, 2016, as part of a cooperation between ESET, the Cyber Police of Ukraine, and CyS Centrum LLC.

Estimated to have been comprised of roughly 4,000 Linux servers, Mumblehard was used for spam, but all of its activities have now ceased. Security researchers at ESET also say that they are currently operating a sinkhole server for all known Mumblehard components, and that the sinkhole data is shared with CERT-Bund.

The security company detailed the botnet last year, when they revealed that the Mumblehard malware might have been around since 2009 and that it had been used in spam campaigns. The researchers were able to register a domain name acting as a C&C server for Mumblehard’s backdoor component, which allowed them to estimate the botnet’s size and distribution.

Now, ESET’s Marc-Etienne M.Léveillé explains that, shortly after the security company published its findings last year, the botnet operators reacted by removing all of the unnecessary domains and IP addresses from the list of C&C servers. However, they kept those that were under their control, which proved to be a mistake.

The change was first observed last May, when some of the bots were updated and pushed to all bots at the end of June. The botnet operators had been using a single IP address for the C&C server and had no fallback mechanism, which provided researchers with the needed opportunity to take action and disrupt the botnet.

Working with the Cyber Police of Ukraine and CyS Centrum LLC, the researchers were able to shut down the C&C server on Feb. 29, 2016, and replace it with a sinkhole operated by ESET. They also discovered that there were almost 4,000 Linux systems compromised with the Mumblehard botnet agent. That the number is decreasing, as CERT-Bund is notifying the affected parties.

One thing that ESET researchers weren’t able to figure out was the initial attack vector used by Mumblehard, although they found that some victims were infected via unpatched WordPress or Joomla installations, or one of their plugins. However, the bots weren’t initially compromised from the C&C server, and researchers suggest that operators might have bought access to these computers from another gang.

The analysis of Mumblehard’s C&C server also revealed that it had automatic delisting from Spamhaus’ Composite Blocking List (CBL). A script was monitoring the CBL for the IP addresses of all the spam-bots and, should one be found blacklisted, the script requested the delisting of the IP address, with OCR (or an external service if OCR didn’t work) used to break the CAPTCHA protection of these requests.

Advertisement. Scroll to continue reading.

“All C&C actions that involved contacting a remote host such as running commands on PHP shells, CBL delisting and so on were performed via proxies. The open proxy feature of the Mumblehard spamming daemon, listening on TCP port 39331, was used to mask the original source of the query. The control panel checking the availability of all the proxies showed victims in 63 different countries,” ESET says.

Last week, ESET revealed information on Remaiten, a piece of malware designed to build a botnet of Linux-based routers and other Internet of Things (IoT) devices. In early March, researchers at Trustwave revealed that the Dridex botnet, which survived a takedown attempt in October last year, was spreading the Locky ransomware via JavaScript attachments.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.