Security Experts:

Connect with us

Hi, what are you looking for?



Authorities Disrupt Mumblehard Linux Botnet

Mumblehard, a botnet comprised of servers running Linux and FreeBSD operating systems, was taken down on February 29, 2016, as part of a cooperation between ESET, the Cyber Police of Ukraine, and CyS Centrum LLC.

Mumblehard, a botnet comprised of servers running Linux and FreeBSD operating systems, was taken down on February 29, 2016, as part of a cooperation between ESET, the Cyber Police of Ukraine, and CyS Centrum LLC.

Estimated to have been comprised of roughly 4,000 Linux servers, Mumblehard was used for spam, but all of its activities have now ceased. Security researchers at ESET also say that they are currently operating a sinkhole server for all known Mumblehard components, and that the sinkhole data is shared with CERT-Bund.

The security company detailed the botnet last year, when they revealed that the Mumblehard malware might have been around since 2009 and that it had been used in spam campaigns. The researchers were able to register a domain name acting as a C&C server for Mumblehard’s backdoor component, which allowed them to estimate the botnet’s size and distribution.

Now, ESET’s Marc-Etienne M.Léveillé explains that, shortly after the security company published its findings last year, the botnet operators reacted by removing all of the unnecessary domains and IP addresses from the list of C&C servers. However, they kept those that were under their control, which proved to be a mistake.

The change was first observed last May, when some of the bots were updated and pushed to all bots at the end of June. The botnet operators had been using a single IP address for the C&C server and had no fallback mechanism, which provided researchers with the needed opportunity to take action and disrupt the botnet.

Working with the Cyber Police of Ukraine and CyS Centrum LLC, the researchers were able to shut down the C&C server on Feb. 29, 2016, and replace it with a sinkhole operated by ESET. They also discovered that there were almost 4,000 Linux systems compromised with the Mumblehard botnet agent. That the number is decreasing, as CERT-Bund is notifying the affected parties.

One thing that ESET researchers weren’t able to figure out was the initial attack vector used by Mumblehard, although they found that some victims were infected via unpatched WordPress or Joomla installations, or one of their plugins. However, the bots weren’t initially compromised from the C&C server, and researchers suggest that operators might have bought access to these computers from another gang.

The analysis of Mumblehard’s C&C server also revealed that it had automatic delisting from Spamhaus’ Composite Blocking List (CBL). A script was monitoring the CBL for the IP addresses of all the spam-bots and, should one be found blacklisted, the script requested the delisting of the IP address, with OCR (or an external service if OCR didn’t work) used to break the CAPTCHA protection of these requests.

“All C&C actions that involved contacting a remote host such as running commands on PHP shells, CBL delisting and so on were performed via proxies. The open proxy feature of the Mumblehard spamming daemon, listening on TCP port 39331, was used to mask the original source of the query. The control panel checking the availability of all the proxies showed victims in 63 different countries,” ESET says.

Last week, ESET revealed information on Remaiten, a piece of malware designed to build a botnet of Linux-based routers and other Internet of Things (IoT) devices. In early March, researchers at Trustwave revealed that the Dridex botnet, which survived a takedown attempt in October last year, was spreading the Locky ransomware via JavaScript attachments.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.