Authorities Disrupt Mumblehard Linux Botnet

Mumblehard, a botnet comprised of servers running Linux and FreeBSD operating systems, was taken down on February 29, 2016, as part of a cooperation between ESET, the Cyber Police of Ukraine, and CyS Centrum LLC.

Estimated to have been comprised of roughly 4,000 Linux servers, Mumblehard was used for spam, but all of its activities have now ceased. Security researchers at ESET also say that they are currently operating a sinkhole server for all known Mumblehard components, and that the sinkhole data is shared with CERT-Bund.

The security company detailed the botnet last year, when they revealed that the Mumblehard malware might have been around since 2009 and that it had been used in spam campaigns. The researchers were able to register a domain name acting as a C&C server for Mumblehard’s backdoor component, which allowed them to estimate the botnet’s size and distribution.

Now, ESET’s Marc-Etienne M.Léveillé explains that, shortly after the security company published its findings last year, the botnet operators reacted by removing all of the unnecessary domains and IP addresses from the list of C&C servers. However, they kept those that were under their control, which proved to be a mistake.

The change was first observed last May, when some of the bots were updated and pushed to all bots at the end of June. The botnet operators had been using a single IP address for the C&C server and had no fallback mechanism, which provided researchers with the needed opportunity to take action and disrupt the botnet.

Working with the Cyber Police of Ukraine and CyS Centrum LLC, the researchers were able to shut down the C&C server on Feb. 29, 2016, and replace it with a sinkhole operated by ESET. They also discovered that there were almost 4,000 Linux systems compromised with the Mumblehard botnet agent. That the number is decreasing, as CERT-Bund is notifying the affected parties.

One thing that ESET researchers weren’t able to figure out was the initial attack vector used by Mumblehard, although they found that some victims were infected via unpatched WordPress or Joomla installations, or one of their plugins. However, the bots weren’t initially compromised from the C&C server, and researchers suggest that operators might have bought access to these computers from another gang.

The analysis of Mumblehard’s C&C server also revealed that it had automatic delisting from Spamhaus’ Composite Blocking List (CBL). A script was monitoring the CBL for the IP addresses of all the spam-bots and, should one be found blacklisted, the script requested the delisting of the IP address, with OCR (or an external service if OCR didn’t work) used to break the CAPTCHA protection of these requests.

“All C&C actions that involved contacting a remote host such as running commands on PHP shells, CBL delisting and so on were performed via proxies. The open proxy feature of the Mumblehard spamming daemon, listening on TCP port 39331, was used to mask the original source of the query. The control panel checking the availability of all the proxies showed victims in 63 different countries,” ESET says.

Last week, ESET revealed information on Remaiten, a piece of malware designed to build a botnet of Linux-based routers and other Internet of Things (IoT) devices. In early March, researchers at Trustwave revealed that the Dridex botnet, which survived a takedown attempt in October last year, was spreading the Locky ransomware via JavaScript attachments.