Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines

An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.

Which OS has yet to be compromised?

[Taco+Cowboy]

So Windoze, Linux, BSD have all been compromised ... how about Hurd / Plan-9? Have they been compromized?

Re:Which OS has yet to be compromised?

as soon as someone starts using hurd, we'll let you know how it's holding up.

Who cares?

[WombleGoneBad]

This isn't as interesting as it sounds (or have i misunderstood?) Basically, if you are a spammer, and download binaries of 'cracked' spamming software... surprise surprise, there is a back door in it that lets other spammers use your servers to spam. It is kinda interesting from a technical point of view (putting perl scripts into elf binaries) but the headline is very misleading, this is not a serious linux/bsd security issue.

Re:Who cares?

[ledow]

It's not even very good.

If you have noexec /tmp, it can't even start. That's been the default in almost every distro for years.

And it's a random third-party binary. It's not like it got into package repositories or a major piece of software. Some cock downloaded a piece of malware, of his own accord, outside of package management on a Linux machine. And so few people did that, it wasn't even showing up on the radar.

God, if I had a penny for every spam email sent from a compromised Windows computer that I've had brought to me and been asked to clean, I'd have earned more than a year's wages already.

Re:Spamming daemon packed inside ELF binary

[CoderJoe]

TFA: "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

Re:Spamming daemon packed inside ELF binary

[ledow]

You can be insecure on any machine, same as you can be a dick in any language.

If you have a non-package binary installed on your system, it's user-error. You have decided to run that, and done that with privileges enough to run it.

This isn't packaged with any software, except for a spam-generating (mass mailing) software anyway. Just that those spammers didn't know they were being used to spam for others too.

Same as if you just run a program on a Windows machine. It's got FUCK ALL to do with open-source, but don't let that stop you.

And packaged open-source software is hash-checked and signed by the distributors. This has not been found in ANY repository of distribution packages. It's a random program that someone has decided to install, and is bundled with spam-generating software, so that's how it "kept quiet"... the people installing didn't give a shit about what they were installing, or the mass-mailing they were already doing. It's like getting a virus from a game crack.

But, please, continue to think you're superior because "lol OS is insecure". I don't actually see any difference between your unrelated argument and, say, "lol Xbox sucks because".

It's in the fine article - download "crack"

[dbIII]

OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?

Via greed driving user interaction in the hope of a "free lunch". From the article:

The price of the software is $240, but interestingly enough, there is a link to a site offering a "cracked" version of DirectMailer. ... The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.

So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.

Imo, that is rather funny.

this malware is pretty unix-y about the way it does things. its small, does few things and does them efficiently.
The author should be complemented on his adherence to the unix philosophy. Even his social engineering campaign is that way.

Functionality wise, an equal malware executable on windows would be megabytes in size and be installed as a service :D

Re:Most Linux distros ship with malware by default

[killkillkill]

Cheese is a GNOME application and runs natively , no need for a Windows compatibility layer.

Re:It took 5 years?

[grcumb]

Yeah, I can't wait to hear how this is spun I to a tale of how great OSS is.

Wait no more!

The article states that the analysts have identified 8,867 infected IP addresses. In April 2014, Netcraft confirmed that there were roughly 958,919,789 sites on the web at that time. Independently of them, W3Techs state that nearly 68% of servers are running some form of Unix, and the vast majority of those can be safely assumed to be running Linux.

So let's say, then, that better than half a billion sites are potentially vulnerable to this exploit, but in practical terms, over the course of years, a mere 8,867 of them actually were infected by this exploit. That means that, uh... carry the 9... somewhere around, oh... 0.0017734% of all vulnerable Linux sites have been compromised by a hitherto unknown and unmitigated active exploit.

Clearly this debacle is indisputable proof that Linux security is a shambolic, shameful charade that needs to be stopped before the world collapses into chaos.