New Mayhem Malware Targets Linux and UNIX-Like Servers

Bismillah writes: Russian security researchers have spotted a new malware named Mayhem that has spread to 1,400 or so Linux and FreeBSD servers around the world, and continues to look for new machines to infect. And, it doesn't need root to operate. "The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server. Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information. According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013."

Re:How does one detect these things

[dan_linder]

From reading TFA, they mention some possible names:

and drops a malicious shared object named 'libworker.so'

or

After that, the PHP dropper creates a shell script named '1.sh',

And for each of those, they present some example contents that could be used to verify it is part of this infection.

Re:Update yo software

[Gothmolly]

And for those of you who DO auto-update blindly and destroy your app or your server when a bad version comes out, well, at least you can smugly assert that you were "secure".

Re:Derp

[TheRaven64]

It's difficult to rate-limit login attempts from a botnet. The attack pattern I see on my server is one IP making three login attempts, then another IP making three login attempts, and so on. I do rate limit (via temporary IP blocking) attempts from one IP, but it doesn't help much. Of course, they're all doing password-based login attempts and I disable password-based SSH logins for all Internet-connected machines...

Still old-school

[bluefoxlucid]

I was going to release an RFC several years back that detailed malware communications protocols, but it was out-of-scope for an RFC and I figured it would be bad when people started using it. Plus IETF might not take that as an April 1 RFC.

I had suggested that the malware be modular, and that it have a communications protocol using PKI, and an evolutionary module loading framework. It would take code for modules shipped across the network and try to compile them locally for various systems, then ship the binaries around. It would also divide when it got a new module: a kill module would just kill the weak strain. The proposal included detecting remote OS and shipping the correct primary executable code, as well as support code for cross-infection.

The whole thing was a big argument for why we need a non-executable stack and strict rules preventing in-memory transitions between non-executable and executable pages. Data written in memory should never become code. Of course, people want to use JIT compilers, so...

Modern malware still bores me.

Re:Derp

[Lumpy]

If you never travel outside your country, why not block all networks from outside? Back in my AT&T days I blocked all of south america, europe, and asia for our servers because nobody from those locations had any reason to even contact our advertising data collection systems. There is no reason to keep your servers wide open for the world.

PHP suexec, mostly. Thanks Plesk

[raymorris]

Most of what we see in the wild is caused by improperly written PHP scripts which don't validate their input and then use crud like fopen_url. That provides the crackers the METHOD to put files on the server and execute them. SuExec gives web visitors PERMISSION to ad and modify files.

Unfortunately, the folks at Plesk didn't read the first paragraph of the SuExec documentation before deploying it by default, so hundreds of thousands of DIY web servers are running with SuExec. (SuExec means allow visitors to modify files, but don't allow other clients hosted on the same shared server to do so).

What the Plesk and DirectAdmin folks should have read, from the Apache SuExec page:

        -----
        Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run
        private CGI or SSI programs. However, if suEXEC is improperly configured, it can cause any number of problems and
      possibly create new holes in your computer's security. If you aren't familiar with managing setuid root programs and the
        security issues they present, we highly recommend that you not consider using suEXEC.
        -----

That last sentence bears repeatings. "If you aren't familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC." Plesk, and DirectAdmin - your customers are not familiar with managing setuid programs and the security issue, so they should not even CONSIDER running suexec, much less have that foisted on them as the default.

Attack Vector

"A lack of anti virus, and missing auto update features leave machines vulnerable"

It astounds me the lengths the article writers go too while avoiding the attack vector:

The admin must:
1. allow a method to upload files
2. allow php files to be up loaded
3. Allow execution of these uploaded scripts
4. Allow system / exec calls (disabled by default since forever ago)
5. Allow the user to write their own crontab

At that point, you might as well just install the infection through yum or apt.

Seriously, there's a reason that the article numbers are less than 1% of the size of the average windows server infection..

Re:Infection via PHP web apps

[Opportunist]

Hey, if you want to nitpick, I can reassure you that nearly no infections in the past years on Windows machines were due to a faulty kernel. It was some GDI problem, or a driver issue, something about Internet Explorer or Silverlight... and for a while the big thing was attacking systems by abusing bugs in common third party products like Flash or Acrobat Reader.

By your definition, I dare say that Windows ain't much easier to hijack than Linux.

The sad point is that both systems are not really airtight. Maybe waterproof by now, but I wouldn't use either on my space suit, so to speak. I even have to say that the biggest blunder recently has been in a piece of OSS, I bet heartbleed needs no explanation.

Sadly, the main reason why Windows gets all the attention from malware is plain and simple profit. It's more profitable to target Windows machines. Not only are Windows machines far more numerous than Linux boxes, the average Windows box also has the inferior "admin" with less information about security who is more likely to fall for the Dancing Pigs. That's the main reason for malware being more of a Windows phenomenon than one on Linux.

Profit.

The current big thing is holding your stuff for ransom. I.e. going through your files, encrypting them with a 4096 bit key and wanting money from you in exchange for the private key belonging to it (something, btw, that needs no elevated privileges at all, i.e. would work like a charm in Linux, too, provided you can execute a program from user file space, which you easily can in the average home user Windows because you need at least Windows Professional to set Local file permissions... Well, security costs extra with MS...).

How many Linux users would pay? And how many would show the extortionist a digital four with their fingers and restore the recent backup (because, unlike most Windows users, they have one)?

Re:Derp

[Zero__Kelvin]

This virus doesn't attack Linux at all. It attacks PHP web applications. They could run on Linux or any other OS. The brute forcing is what the botnet does once it has a foothold on the machine in question, and has nothing to do with the attack vector.