securitybreach Posted May 3, 2015 Share Posted May 3, 2015 Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam, researchers said Wednesday. The malware likely infected many more machines during the five years it's known to have existed. Most of the machines infected by the so-called Mumblehard malware are believed to run websites, according to the 23-page report issued by researchers from antivirus provider Eset. During the seven months that they monitored one of its command and control channels, 8,867 unique IP addresses connected to it, with 3,000 of them joining in the past three weeks. The discovery is reminiscent of Windigo, a separate spam botnet made up of 10,000 Linux servers that Eset discovered 14 months ago. The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail. These two main components are written in Perl and they're obfuscated inside a custom "packer" that's written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that's arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes........ http://arstechnica.c...reebsd-servers/ Before you start getting worried, this sounds like targeted attacks against mail servers only and should be patched very soon. 4 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted May 3, 2015 Share Posted May 3, 2015 Well, then only Hillary Clinton should be worried. 3 Quote Link to comment Share on other sites More sharing options...
atiustira Posted May 4, 2015 Share Posted May 4, 2015 (edited) Thanks securitybreach. I found this pdf on it also. http://www.welivesec.../mumblehard.pdf This link to a rules set also http://sourceforge.net/p/snort/mailman/snort-sigs/ Edited May 4, 2015 by atiustira 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 4, 2015 Author Share Posted May 4, 2015 Thanks securitybreach. I found this pdf on it also. http://www.welivesec.../mumblehard.pdf Cool! We have a buddy here who is a researcher for Eset so that is neat.... 1 Quote Link to comment Share on other sites More sharing options...
ebrke Posted May 4, 2015 Share Posted May 4, 2015 Yes, Eset was mentioned several times in an article I read on this, I think on ArsTechnica. 3 Quote Link to comment Share on other sites More sharing options...
atiustira Posted May 5, 2015 Share Posted May 5, 2015 Yes and our buddy is a good writer also. But even before meeting our friend. I have been recommending Eset. Hey what do you think of that snort rule? Would know what is going across the net work and catch it without having to wait for a patch! Preety cool... 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 5, 2015 Author Share Posted May 5, 2015 Indeed 1 Quote Link to comment Share on other sites More sharing options...
goretsky Posted May 13, 2015 Share Posted May 13, 2015 Hello, The main vector for this particular spam-sending malware is pirated copies of a spam-sending program. It appears the authors of the original spam sender released the infected version, so people who pirate the software would be using an infected copy they could use to send spam themselves. It is all very meta. Regards, Aryeh Goretsky 3 Quote Link to comment Share on other sites More sharing options...
Hedon James Posted May 13, 2015 Share Posted May 13, 2015 The main vector for this particular spam-sending malware is pirated copies of a spam-sending program. It appears the authors of the original spam sender released the infected version, so people who pirate the software would be using an infected copy they could use to send spam themselves. Now THAT is funny to me! (and perhaps even a bit clever?) Just another argument to endorse FOSS software, IMO. If you want "free" software, make sure it's also "open source software"! Aw heck...just use Linux for maximum protection OOTB!!! 4 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.