Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines

Posted by timothy on from the just-where-you-least-expect-it dept.

An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.

8 of 180 comments (clear)

  1. Who cares? by WombleGoneBad · · Score: 5, Informative

    This isn't as interesting as it sounds (or have i misunderstood?) Basically, if you are a spammer, and download binaries of 'cracked' spamming software... surprise surprise, there is a back door in it that lets other spammers use your servers to spam. It is kinda interesting from a technical point of view (putting perl scripts into elf binaries) but the headline is very misleading, this is not a serious linux/bsd security issue.

    1. Re:Who cares? by CoderJoe · · Score: 4, Informative

      "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

      So, not just from downloading the "cracked" mailer program.

  2. Re:Spamming daemon packed inside ELF binary by CoderJoe · · Score: 5, Informative

    TFA: "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

  3. It's in the fine article - download "crack" by dbIII · · Score: 5, Informative

    OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?

    Via greed driving user interaction in the hope of a "free lunch". From the article:

    The price of the software is $240, but interestingly enough, there is a link to a site offering a "cracked" version of DirectMailer. ... The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.

    So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.

  4. Summing up + Translation(babble to information) by burni2 · · Score: 4, Informative

    And removing the "text extending babbel":

    1.) Don't get a pirated copy of "DirectMailer" - because it's infected and will trojanise your server.

    2.) keep your server and especially it's services updated - check your Joomla and Wordpress installation - and additionally to that the themes you installed.

    - the white paper says that the researchers think that these were the most likely vectors

    - the article puts faith on the thoughts of the researchers

    Translation:
    The infected server were so extremely outdated that the researchers didn't know where to start to search. Some believe to have seen active kernel versions dating back to 2000 and even further and surrendered the computers to archeologists to study ancient server setups.

    3.) an antivirus on freebsd or linux system is pratically useless in detecting recent malware - they need at least 5 yrs. of cultivation

    On windows the infection base is much greater. However the idea of "quarantining" software of problematic origin for a certain period of time and early virustotalling it, should be considered.

    lesson: no cracked software on linux/freebsd system

  5. Re:Which OS has yet to be compromised? by Eunuchswear · · Score: 1, Informative

    I would suspect that some of the OS's that are used in embedded devices (If you really want to call something running an OS embedded.) have been pretty safe.

    Would you?

    https://threatpost.com/lizard-squads-ddos-for-hire-service-built-on-hacked-home-routers/110341

    --
    Watch this Heartland Institute video
  6. Re:Which OS has yet to be compromised? by Anonymous Coward · · Score: 3, Informative

    Your link says that the routers that are impacted by this "hack" runs Linux and the security issue isn't a flaw in the operating system but with standard passwords.
    Not only did you fail to read the entire post you responded to, you didn't even read the link you used as a source for your post.

    Now, I'm not going to disregard you as an idiot straight away, but if you are a troll I expect you to be better at it.

  7. Re:It took 5 years? by Khyber · · Score: 1, Informative

    "Clearly this debacle is indisputable proof that Linux security is a shambolic, shameful charade that needs to be stopped before the world collapses into chaos."

    Pretty much, because once you understand Linux, you realize that it's a fucking tangled web of crap with no cohesion, and thus no real chance of ever being half secure.

    MenuetOS does a better job at security, and it's fucking proprietary garbage.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.