A recent vulnerability has been found, affecting thousands of Linux and FreeBSD servers around the world. Norse encourages FreeBSD sysadmins to take proper measures to remedy this exploit. Check the whitepaper for more details.
Researchers have documented a newly discovered family of malware that infected thousands of Linux and FreeBSD servers, making them part of a massive spam distribution campaign.
The unusually sophisticated malware, dubbed Mumblehard, has two main components which are both written in Perl and leverage the same custom packer which is written in assembly language to produce ELF binaries that work to obfuscate the source code.
“Our analysis and research also shows a strong link between Mumblehard and Yellsoft. Yellsoft sells software, written in Perl, designed to send bulk e-mails. This program is called DirectMailer,” the researchers said.
“The first link between them is that the IP addresses used as C&C servers for both the backdoor and spamming components are located in the same range as the web server hosting yellsoft.net. The second link is that we have found pirated copies of DirectMailer online that actually silently install the Mumblehard backdoor when run. The pirated copies were also obfuscated by the same packer used by Mumblehard’s malicious components.”
The team discovered Mumblehard after a system administrator reported that a server had been blacklisted for sending spam, and they proceeded to dump the memory of a process that was connecting to different SMTP servers.
“The memory dump clearly showed it to be a Perl interpreter. We investigated and found the executable file in the /tmp directory. We started analyzing this ELF binary and discovered what we now call Mumblehard,” the researchers explained.
“We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat.”
Key findings in the analysis include:
- Perl scripts were packed inside ELF binaries written in assembly language, showing a higher level of sophistication than average
- A total of 8,867 unique IP addresses were seen in our sinkhole over a 7-month period
- The highest number of unique IP addresses seen in a single day is as high as 3,292
- Mumblehard has been active since at least 2009
- Among the compromised machines, web servers are the most susceptible to being infected
- There is a strong link between Mumblehard and Yellsoft, an online company selling software to send bulk e-mail messages
“Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes.” the researchers noted.
“The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.”