Researchers Help Shut Down Spam Botnet That Enslaved 4,000 Linux Machines (arstechnica.com)
An anonymous reader shares an article on Ars Technica: A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down. Sophisticated Mumblehard spamming malware flew under the radar for five years. Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service. "There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots," researchers from security firm Eset wrote in a blog post published Thursday. "If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn't work) was used to break the protection."
Shizzlesticks
In the year of our lord 2016 I can't believe this shit is still going on. Its been a few yrs since I checked in. Everything in the firehose was spam a few times, and the one article I did promote drew some flak. *sigh* wonderful.
C|N>K
How exactly did Mumblehard initially infect the Linux and BSD systems?
Loonix is impervious to such things! Teh Open Sores was created by messiah Loonix Toreballs; and as a god, things with his name nevar have problems!
It used a custom "packer" to conceal the Perl-based source code that made it run...
I think writing it in Perl provides sufficient obfuscation all by itself.
The Eset researchers still aren't certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program.
Look for cron jobs executing code from /var/tmp.
They did such a beautiful and informative report(PDF) it's a damn shame not to read it.
One of the great things about Open Sores is that with many eyes looking at the sores, things like what's mentioned in the article are impossible on Linux. It only happens on M$ where we can't look at the sores code. Linux Trovalds said so himself.
Muslims, Muslims, Muslims; we hate them for the bad times.
>"There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots, If one was found to be blacklisted, this script requested the delisting of the IP address"
Oooh, that is really clever/evil. And that went on for years and Spamhaus never discovered they were getting automated requests? I would think that would be pretty easy to detect if they get ANOTHER report of spam coming from the same machine and ANOTHER delisting request...
which distro was mostly effected, forensics should be able to figure that out and then some more snooping find the culprets, if they are developers that contribute to Linux then they need to be found out and blacklisted and removed and maybe send a goon squad to go break their knees and fingers
Politics is Treachery, Religion is Brainwashing
A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down.
Martin Luther Mainframe: "Set my brethren free!"
I think that if you spend this much time developing software that uses other peoples' machines to send spam, further wasting even more peoples' time for fractions of a cent per message sent, you clearly deserve death, as the sum of your life's work is a negative.
We as society should send killers after these people. If they are witnessed operating the command servers, just execute them on the spot, I don't want to hear about it any further after that.
it's a very useful forum for Windows and Linux users.
Now why am I not shocked these two pieces of spaghetti code were used as an attack vector? It's always important to lock down and isolate each /vhost/ but these who really exemplify why that is so important. Specially WordPress has been one huge security disaster after another.
9/11: Never forget it was a false-flag operation