Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines

Posted by timothy on from the just-where-you-least-expect-it dept.

An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.

43 of 180 comments (clear)

  1. Re:Most Linux distros ship with malware by default by Anonymous Coward · · Score: 4, Funny

    Would you like some cheese with your whine?

  2. Which OS has yet to be compromised? by Taco+Cowboy · · Score: 5, Funny

    So Windoze, Linux, BSD have all been compromised ... how about Hurd / Plan-9? Have they been compromized?

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:Which OS has yet to be compromised? by Anonymous Coward · · Score: 5, Funny

      as soon as someone starts using hurd, we'll let you know how it's holding up.

    2. Re:Which OS has yet to be compromised? by Anonymous Coward · · Score: 3, Informative

      Your link says that the routers that are impacted by this "hack" runs Linux and the security issue isn't a flaw in the operating system but with standard passwords.
      Not only did you fail to read the entire post you responded to, you didn't even read the link you used as a source for your post.

      Now, I'm not going to disregard you as an idiot straight away, but if you are a troll I expect you to be better at it.

    3. Re:Which OS has yet to be compromised? by TheGratefulNet · · Score: 3, Funny

      Ultrix 4.2a, here. have not seen a virus on this machine, ever.

      still clean after all these years.

      as long as you can find scsi1 disks, you can keep running Mosaic and some versions of lynx. DECwindows rocks!

      (what? whaaaaat?)

      --

      --
      "It is now safe to switch off your computer."
    4. Re: Which OS has yet to be compromised? by pfleming · · Score: 2

      When is the +1 button :-)

      It's just a jump to the left.

    5. Re:Which OS has yet to be compromised? by tricorn · · Score: 2

      A trojan that's inside a bulk e-mailer program, yet. Almost funny.

    6. Re:Which OS has yet to be compromised? by ruir · · Score: 2

      Why not running netbsd? I think there was a port.

  3. Who cares? by WombleGoneBad · · Score: 5, Informative

    This isn't as interesting as it sounds (or have i misunderstood?) Basically, if you are a spammer, and download binaries of 'cracked' spamming software... surprise surprise, there is a back door in it that lets other spammers use your servers to spam. It is kinda interesting from a technical point of view (putting perl scripts into elf binaries) but the headline is very misleading, this is not a serious linux/bsd security issue.

    1. Re:Who cares? by Anonymous Coward · · Score: 3, Funny

      Oh a denial, this is gonna hit +5 fast!

    2. Re:Who cares? by CoderJoe · · Score: 4, Informative

      "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

      So, not just from downloading the "cracked" mailer program.

    3. Re:Who cares? by ledow · · Score: 5, Insightful

      It's not even very good.

      If you have noexec /tmp, it can't even start. That's been the default in almost every distro for years.

      And it's a random third-party binary. It's not like it got into package repositories or a major piece of software. Some cock downloaded a piece of malware, of his own accord, outside of package management on a Linux machine. And so few people did that, it wasn't even showing up on the radar.

      God, if I had a penny for every spam email sent from a compromised Windows computer that I've had brought to me and been asked to clean, I'd have earned more than a year's wages already.

    4. Re: Who cares? by peragrin · · Score: 4, Insightful

      yet how often do you actually reboot? Once a year? twice?

      --
      i thought once I was found, but it was only a dream.
    5. Re: Who cares? by Traxton · · Score: 3, Interesting

      I reboot whenever a security fix for the kernel is released, so every few weeks to a couple of months, typically. Maximizing uptime for e-peen shouldn't take priority over applying security fixes, imho.

    6. Re:Who cares? by tlhIngan · · Score: 2

      If you find that interesting, you may also be interested in the VMWare install script, which starts as a shell script but has a compressed binary attached to the end.

      That's not interesting at all - there's something called a shell archive, or "shar" which is what it implies. GNU has "sharutils" which is used to create and extract files from shar files (or you can run the script - it IS just a regular shell script).

      The benefit is, of course, you can embed a binary inside it and it self-extracts, and is transmissible over text-only media without having to use uuencode/base64 or other utility.

      Of course, they aren't standard, and often are limited because they rely on external installed programs you should have in your system, and often there's version dependency on the programs it relies on, enough so that older shar files might not work on newer systems.

  4. Spamming daemon packed inside ELF binary by DougPaulson · · Score: 3, Interesting

    "Perl code packed inside ELF binary .. The Perl spammer .. The spamming daemon is also written in Perl and packed inside an ELF binary"

    OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?

    1. Re:Spamming daemon packed inside ELF binary by CoderJoe · · Score: 5, Informative

      TFA: "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

    2. Re:Spamming daemon packed inside ELF binary by ledow · · Score: 5, Insightful

      You can be insecure on any machine, same as you can be a dick in any language.

      If you have a non-package binary installed on your system, it's user-error. You have decided to run that, and done that with privileges enough to run it.

      This isn't packaged with any software, except for a spam-generating (mass mailing) software anyway. Just that those spammers didn't know they were being used to spam for others too.

      Same as if you just run a program on a Windows machine. It's got FUCK ALL to do with open-source, but don't let that stop you.

      And packaged open-source software is hash-checked and signed by the distributors. This has not been found in ANY repository of distribution packages. It's a random program that someone has decided to install, and is bundled with spam-generating software, so that's how it "kept quiet"... the people installing didn't give a shit about what they were installing, or the mass-mailing they were already doing. It's like getting a virus from a game crack.

      But, please, continue to think you're superior because "lol OS is insecure". I don't actually see any difference between your unrelated argument and, say, "lol Xbox sucks because".

    3. Re:Spamming daemon packed inside ELF binary by Anonymous Coward · · Score: 2, Funny

      It's as good as fact, then. Oh, wait, remember a few years back when that powerful country sold a war to the world because they *believed* a country was harboring powerful weapons? It turned out they were wrong.

    4. Re:Spamming daemon packed inside ELF binary by Anonymous Coward · · Score: 3, Insightful

      No, it turned out they where lying.

    5. Re:Spamming daemon packed inside ELF binary by cas2000 · · Score: 2

      modern windows malware still has a lot to do with insecure design, but not much to do with the stupidity of microsoft developers. stupidity of their managers, perhaps, but not their devs.

      the problem is that microsoft management believes that their users are idiots and incapable of understanding or practicing even basic security. whether they are correct or not is irrelevant - either way, that belief leads to them choosing to design for an idiot user's convenience rather than for a normally intelligent user's security.

      they don't make insecure software because they're too stupid to do otherwise. they do it because they *choose* to, because they believe their users are too stupid to cope with anything better.

      rather than lift their dumber users up to a higher level of understanding and safer practices (i.e. by requiring it in their software design), they dumb things down so that even smarter users find it difficult or impossible to run a secure system. in doing this, microsoft are doing ALL of their users, both dumb and smart, an enormous dis-service. IMO, constituting gross negligence.

  5. It's in the fine article - download "crack" by dbIII · · Score: 5, Informative

    OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?

    Via greed driving user interaction in the hope of a "free lunch". From the article:

    The price of the software is $240, but interestingly enough, there is a link to a site offering a "cracked" version of DirectMailer. ... The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.

    So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.

    1. Re:It's in the fine article - download "crack" by drinkypoo · · Score: 2

      So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.

      They're feeding on them for the purpose of sending still more spam, and meanwhile, the software will send out the spam the spammers are actually intending to send out. So, if you give them a medal, be sure to accelerate it appropriately in the process.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  6. Not so uncommon by vga_init · · Score: 4, Insightful

    These PEBKAC exploits happen more often than you might think on Linux

    1. Re:Not so uncommon by Anonymous Coward · · Score: 4, Insightful

      Ayup. At one time, I had a nice business fixing compromised Linux web servers. If you run a web thing, then you have to watch port 25 for crap, since sooner or later, some luser will think that it is kewl to use a four letter password and then the SSH or FTP server will be breached by a script kiddie.

  7. Summing up + Translation(babble to information) by burni2 · · Score: 4, Informative

    And removing the "text extending babbel":

    1.) Don't get a pirated copy of "DirectMailer" - because it's infected and will trojanise your server.

    2.) keep your server and especially it's services updated - check your Joomla and Wordpress installation - and additionally to that the themes you installed.

    - the white paper says that the researchers think that these were the most likely vectors

    - the article puts faith on the thoughts of the researchers

    Translation:
    The infected server were so extremely outdated that the researchers didn't know where to start to search. Some believe to have seen active kernel versions dating back to 2000 and even further and surrendered the computers to archeologists to study ancient server setups.

    3.) an antivirus on freebsd or linux system is pratically useless in detecting recent malware - they need at least 5 yrs. of cultivation

    On windows the infection base is much greater. However the idea of "quarantining" software of problematic origin for a certain period of time and early virustotalling it, should be considered.

    lesson: no cracked software on linux/freebsd system

  8. Re: Content management systems by cyber-vandal · · Score: 2

    They are usually quickly fixed but not quickly updated by end users. That's the problem with all OSes. The advantage of OSS is that you have the option of fixing it yourself if the software creator doesn't.

  9. Re:Most Linux distros ship with malware by default by Anonymous Coward · · Score: 2, Insightful

    WTF?

    Decent people don't want to be associated with people like MikeeUSA, the fact that the anti-systemd people seem happy to associate with him isn't going to help their cause.

    What about this one: "decent people don't want to be associated with people like Hitler, the fact that the vegetarian people seem happy to associate with him isn't going to help their cause."

    See what I did there? (no, that doesn't qualify as Godwin, not yet)

    I'm one of these anti-systemd people, and I don't want to be associated in anyway with a troll like MikeeUSA. He's behavior has nothing to do with accepting or not systemd and trying to make some kind of true-scotman-non-sequitur-bullshit out of it is utter non-sense.

  10. Re:It took 5 years? by dbIII · · Score: 4, Funny

    You certainly didn't wait long enough to read the article before posting.

  11. Re:Most Linux distros ship with malware by default by Eunuchswear · · Score: 2, Insightful

    Yes, you're right, anti-systemd people are not all insane, but some of the most vocal of them are.

    (And it's not just good old "I want to marry 12 year old girls" MikeeUSA, there are also the "systemd will eat your ouput" loons, the "systemd is an NSA plot" obsessives, the "systemd is an end run around the GPL" tin-foil hatters...)

    --
    Watch this Heartland Institute video
  12. What the... by X.25 · · Score: 2

    This "article" is beyond retarded.

  13. Imo, that is rather funny. by Anonymous Coward · · Score: 5, Funny

    this malware is pretty unix-y about the way it does things. its small, does few things and does them efficiently.
    The author should be complemented on his adherence to the unix philosophy. Even his social engineering campaign is that way.

    Functionality wise, an equal malware executable on windows would be megabytes in size and be installed as a service :D

  14. Re:Detector, please by Anonymous Coward · · Score: 3, Insightful

    "Second, if you don't know how to detect this, you shouldn't be running servers."

    How's about a real answer or at least a link to a resource to help someone learn what they need to know rather than acting high and mighty?

    That's always been one of the bigger problems facing linux adoption. :P

  15. Re:Most Linux distros ship with malware by default by killkillkill · · Score: 5, Funny

    Cheese is a GNOME application and runs natively , no need for a Windows compatibility layer.

  16. Re:It took 5 years? by ArcadeMan · · Score: 4, Insightful

    Read the article? What madness is this?

    I haven't read it either and I'll still agree with MobileTatsu-NJG here: the huge benefit with OSS that people keep talking about is that thousand of people looking at the source code are able to find bugs, trojans and backdoors. And this particular problem is over five years old, too.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  17. Re:It took 5 years? by grcumb · · Score: 5, Interesting

    Yeah, I can't wait to hear how this is spun I to a tale of how great OSS is.

    Wait no more!

    The article states that the analysts have identified 8,867 infected IP addresses. In April 2014, Netcraft confirmed that there were roughly 958,919,789 sites on the web at that time. Independently of them, W3Techs state that nearly 68% of servers are running some form of Unix, and the vast majority of those can be safely assumed to be running Linux.

    So let's say, then, that better than half a billion sites are potentially vulnerable to this exploit, but in practical terms, over the course of years, a mere 8,867 of them actually were infected by this exploit. That means that, uh... carry the 9... somewhere around, oh... 0.0017734% of all vulnerable Linux sites have been compromised by a hitherto unknown and unmitigated active exploit.

    Clearly this debacle is indisputable proof that Linux security is a shambolic, shameful charade that needs to be stopped before the world collapses into chaos.

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  18. Re:Most Linux distros ship with malware by default by Khyber · · Score: 2

    "\u201cconservative\u201d"
    "doesn\u2019t"
    "I\u2019m"

    Looks like systemd already wrecked your shit. Your punctuation doesn't even fucking work!

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  19. Re:It took 5 years? by dbIII · · Score: 2

    that thousand of people looking at the source code are able to find bugs, trojans and backdoors.

    There is no source code available to look at in this case. The article is very short and you could have read most of it in the time it took you to post the above irrelevant post, but as it is you are not even aware it's so irrelevant that it looks very silly in context.

  20. Re: It took 5 years? by Plumpaquatsch · · Score: 4, Interesting

    Read TFA. The flaw isn't in the OSS.

    You are right. The flaw is in the OSS-users who think that OSS magically makes them secure from Trojans.

    --
    Of course news about a fake are Fake News.
  21. Re:It took 5 years? by drinkypoo · · Score: 4, Insightful

    However, that doesn't change the reality that the "many eyes" claim is a myth,

    What? No, no it is not. The fact is that many bugs and vulnerabilities are found because of "many eyes", while we have to wait for either a vendor or a malicious attacker to find and announce vulnerabilities in closed-source software. Nobody credible ever claimed that "many eyes" makes FOSS invulnerable to bugs, back doors, etc. The claim is that it makes it less vulnerable, through better practice. Now, if you can provide a citation that shows this is false, I'll show you a paper full of lies — because a comparison is impossible, because the code we most care about isn't available for analysis and comparison. Without the code for the massive and common operating systems and packages which users commonly run, you can't actually make a meaningful comparison.

    So, since we can't prove the claim either way, but we certainly have plenty of evidence that it does work that way since many eyes do in fact often find flaws through code analysis of FOSS but those many eyes do not find flaws in code analysis of closed-source software due to lack of availability. Therefore, the onus of proof is on you — if you want to show that something behaves counterintuitively, you're going to have to prove it.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  22. Re:It took 5 years? by BarbaraHudson · · Score: 4, Insightful

    Sure it's a myth. There are bugs in open source products that have been sitting there out in the open for YEARS without anyone recognizing them until they're exploited. Shellshock and Hearbleed (OpenSSL library - you can't get much more critical than that) prove once again that the "many eyes" that are not bothering to look because they all have something else to do (like scratching their own itch) proves that you also have to wait for a malicious attacker to find the vulnerabilities before they're fixed.

    It's simply not a "better practice" - just different - and the myth leaves people open to exercising less caution out of an erroneous feeling that someone out there is going over the code to fix it just because it's open source. We all know that debugging and fixing code is a lot less attractive to people than writing new code, and that's simply not going to change, because it's human nature. Most programmers simply do not like to do code maintenance, which is why proprietary software with revenue streams have both an incentive and the means to PAY people to do the maintenance.

    Which I guess is why the Windows kernel is now more secure than either the Linux or BSD kernels. So, citation provided :-)

    Am I happy about it? No, but that's the reality of it, and denying it is being willfully negligent.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  23. PHP: The Good Parts by tepples · · Score: 2

    PHP, and that means your security is dead right there

    In theory, it should be possible to adopt good coding practices that leave out all the bad parts of PHP, in much the same way that Douglas Crockford recommends for JavaScript in his book JavaScript: The Good Parts. If you think the PHP interpreter inherently has poor security despite good coding practices, have you tried notifying the operators of Wikipedia?

    1. Re:PHP: The Good Parts by fisted · · Score: 2
      The fact that you can go out of your way and produce "good" PHP code doesn't really make the language less shitty.

      My favorite analogy:

      Imagine you have uh, a toolbox. A set of tools. Looks okay, standard stuff in there.

      You pull out a screwdriver, and you see it’s one of those weird tri-headed things. Okay, well, that’s not very useful to you, but you guess it comes in handy sometimes.

      You pull out the hammer, but to your dismay, it has the claw part on both sides. Still serviceable though, I mean, you can hit nails with the middle of the head holding it sideways.

      You pull out the pliers, but they don’t have those serrated surfaces; it’s flat and smooth. That’s less useful, but it still turns bolts well enough, so whatever.

      And on you go. Everything in the box is kind of weird and quirky, but maybe not enough to make it completely worthless. And there’s no clear problem with the set as a whole; it still has all the tools.

      Now imagine you meet millions of carpenters using this toolbox who tell you “well hey what’s the problem with these tools? They’re all I’ve ever used and they work fine!” And the carpenters show you the houses they’ve built, where every room is a pentagon and the roof is upside-down. And you knock on the front door and it just collapses inwards and they all yell at you for breaking their door.

      That’s what’s wrong with PHP.

      (source)

      --
      CLI paste? paste.pr0.tips!