Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines

An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.

Who cares?

[WombleGoneBad]

This isn't as interesting as it sounds (or have i misunderstood?) Basically, if you are a spammer, and download binaries of 'cracked' spamming software... surprise surprise, there is a back door in it that lets other spammers use your servers to spam. It is kinda interesting from a technical point of view (putting perl scripts into elf binaries) but the headline is very misleading, this is not a serious linux/bsd security issue.

Re:Who cares?

[CoderJoe]

"The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

So, not just from downloading the "cracked" mailer program.

Re:Spamming daemon packed inside ELF binary

[CoderJoe]

TFA: "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

It's in the fine article - download "crack"

[dbIII]

OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?

Via greed driving user interaction in the hope of a "free lunch". From the article:

The price of the software is $240, but interestingly enough, there is a link to a site offering a "cracked" version of DirectMailer. ... The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.

So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.

Summing up + Translation(babble to information)

[burni2]

And removing the "text extending babbel":

1.) Don't get a pirated copy of "DirectMailer" - because it's infected and will trojanise your server.

2.) keep your server and especially it's services updated - check your Joomla and Wordpress installation - and additionally to that the themes you installed.

- the white paper says that the researchers think that these were the most likely vectors

- the article puts faith on the thoughts of the researchers

Translation:
The infected server were so extremely outdated that the researchers didn't know where to start to search. Some believe to have seen active kernel versions dating back to 2000 and even further and surrendered the computers to archeologists to study ancient server setups.

3.) an antivirus on freebsd or linux system is pratically useless in detecting recent malware - they need at least 5 yrs. of cultivation

On windows the infection base is much greater. However the idea of "quarantining" software of problematic origin for a certain period of time and early virustotalling it, should be considered.

lesson: no cracked software on linux/freebsd system

Re:Which OS has yet to be compromised?

Your link says that the routers that are impacted by this "hack" runs Linux and the security issue isn't a flaw in the operating system but with standard passwords.
Not only did you fail to read the entire post you responded to, you didn't even read the link you used as a source for your post.

Now, I'm not going to disregard you as an idiot straight away, but if you are a troll I expect you to be better at it.