Researchers Help Shut Down Spam Botnet That Enslaved 4,000 Linux Machines

An anonymous reader shares an article on Ars Technica: A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down. Sophisticated Mumblehard spamming malware flew under the radar for five years. Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service. "There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots," researchers from security firm Eset wrote in a blog post published Thursday. "If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn't work) was used to break the protection."

FTFA

The Eset researchers still aren't certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program.

Look for cron jobs executing code from /var/tmp.

They did such a beautiful and informative report(PDF) it's a damn shame not to read it.

Re:FTFA

[ecotax]

They mention at least one previously used: downloads of the 'free, unsupported' DirectMailer software. So they were apparently targeting people who wanted to send bulk email for free. Poetic injustice? Just guessing, but they could use the same trick with other 'free' products now. From the report:

5.1. "Cracked" DirectMailer
On the homepage, Yellsoft makes sure to tell its visitors that the company doesn’t o er support for copies of the software downloaded from [link deleted], with a link to the page. This page is hosted on narod.ru, a free web hoster. Let’s see if we can get a copy of DirectMailer from there. Figure 9 Softexp web page with DirectMailer download link as seen in 2014 Sure enough, in 2014 you could download a directmailer-retail.zip le with a copy of DirectMailer. Since ESET Anti-Virus products started detecting DirectMailer as malicious, the software is no longer being distributed on softexp.narod.ru. The zip archive contains a dm.pl executable le. Despite the .pl extension, it is not a Perl script, but an ELF executable. This executable le contains a Perl script packed with the Mumblehard packer. Analysis of the Perl script shows that a function called bdrp is invoked before the main program is started. This function has a uuencoded blob, which, once decoded, generates another ELF le. This ELF le is a packed Perl script consisting of the Mumblehard backdoor. It is written to the le system and a cron job is added to run it every 15 minutes.