Researchers Help Shut Down Spam Botnet That Enslaved 4,000 Linux Machines (arstechnica.com)

← Back to Stories (view on slashdot.org)

Researchers Help Shut Down Spam Botnet That Enslaved 4,000 Linux Machines (arstechnica.com)

Posted by msmash on Saturday April 9, 2016 @09:10AM from the battling-spammers dept.

An anonymous reader shares an article on Ars Technica: A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down. Sophisticated Mumblehard spamming malware flew under the radar for five years. Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service. "There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots," researchers from security firm Eset wrote in a blog post published Thursday. "If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn't work) was used to break the protection."

27 of 47 comments (clear)

Min score:

Reason:

Sort:

Spam must die by inode_buddha · 2016-04-09 09:21 · Score: 1

In the year of our lord 2016 I can't believe this shit is still going on. Its been a few yrs since I checked in. Everything in the firehose was spam a few times, and the one article I did promote drew some flak. *sigh* wonderful.

--
C|N>K
Mumblehard infected Linux and BSD systems by khz6955 · 2016-04-09 09:26 · Score: 1

How exactly did Mumblehard initially infect the Linux and BSD systems?
1. Re: Mumblehard infected Linux and BSD systems by DaMattster · 2016-04-09 09:54 · Score: 1
  
  I run OpenBSD and was unaffected.
2. Re:Mumblehard infected Linux and BSD systems by invictusvoyd · 2016-04-09 13:59 · Score: 1
  
  there are two plausible infection vectors used to spread Mumblehard. The most popular vector seems to be the use of Joomla and Wordpress exploits. The other is through the distribution of backdoored "pirated" copies of a Linux and BSD program known as DirectMailer, software that Yellsoft sells on their website for $240
  
  backdoored !
3. Re: Mumblehard infected Linux and BSD systems by donaldm · 2016-04-09 18:35 · Score: 1
  
  I run OpenBSD and was unaffected.
  That's funny I run Fedora 23 and was unaffected.
  Go figere
  
  --
  There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
no need... by Anonymous Coward · 2016-04-09 09:37 · Score: 4, Funny

It used a custom "packer" to conceal the Perl-based source code that made it run...
I think writing it in Perl provides sufficient obfuscation all by itself.
1. Re: no need... by Anonymous Coward · 2016-04-09 09:45 · Score: 1
  
  Most perl looks like malware anyways.
FTFA by Anonymous Coward · 2016-04-09 09:42 · Score: 5, Informative

The Eset researchers still aren't certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program.
Look for cron jobs executing code from /var/tmp.
They did such a beautiful and informative report(PDF) it's a damn shame not to read it.
1. Re:FTFA by gweihir · 2016-04-09 12:49 · Score: 2
  
  Skimming the report, I found no information at all about the attack vectors.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re:FTFA by invictusvoyd · 2016-04-09 14:05 · Score: 1
  
  crontab -l
  */15 * * * * /var/tmp/qCVwOWA >/dev/null 2>&1
  Via tainted package DirectMailer
3. Re:FTFA by ecotax · 2016-04-09 21:23 · Score: 3, Informative
  
  They mention at least one previously used: downloads of the 'free, unsupported' DirectMailer software. So they were apparently targeting people who wanted to send bulk email for free. Poetic injustice? Just guessing, but they could use the same trick with other 'free' products now. From the report:
  
  5.1. "Cracked" DirectMailer
  On the homepage, Yellsoft makes sure to tell its visitors that the company doesn’t o er support for copies of the software downloaded from [link deleted], with a link to the page. This page is hosted on narod.ru, a free web hoster. Let’s see if we can get a copy of DirectMailer from there. Figure 9 Softexp web page with DirectMailer download link as seen in 2014 Sure enough, in 2014 you could download a directmailer-retail.zip le with a copy of DirectMailer. Since ESET Anti-Virus products started detecting DirectMailer as malicious, the software is no longer being distributed on softexp.narod.ru. The zip archive contains a dm.pl executable le. Despite the .pl extension, it is not a Perl script, but an ELF executable. This executable le contains a Perl script packed with the Mumblehard packer. Analysis of the Perl script shows that a function called bdrp is invoked before the main program is started. This function has a uuencoded blob, which, once decoded, generates another ELF le. This ELF le is a packed Perl script consisting of the Mumblehard backdoor. It is written to the le system and a cron job is added to run it every 15 minutes.
  
  --
  "Money is a sign of poverty." - Iain Banks
4. Re:FTFA by gweihir · 2016-04-09 21:53 · Score: 1
  
  Thanks. I saw that but discounted it as an attack-vector, because it is not really one (well, not a technological one). But if that is the only thing they mention, then we may just have 4000 terminally stupid system administrators as the root-cause.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Unpossible! by techno-vampire · 2016-04-09 10:03 · Score: 2

Most mainstream distros have some sort of built-in defense against this kind of attack, such as SELinux or AppArmor. Of course, that only works if the Sysadmin has enough sense to let them do their job instead of disabling them to prevent problems that were solved over a decade ago.

--
Good, inexpensive web hosting
Evil by markdavis · 2016-04-09 10:13 · Score: 4, Interesting

>"There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots, If one was found to be blacklisted, this script requested the delisting of the IP address"
Oooh, that is really clever/evil. And that went on for years and Spamhaus never discovered they were getting automated requests? I would think that would be pretty easy to detect if they get ANOTHER report of spam coming from the same machine and ANOTHER delisting request...
1. Re:Evil by Anonymous Coward · 2016-04-09 12:34 · Score: 3, Insightful
  
  History tells us that Spamhaus is not synonymous with competence.
2. Re:Evil by Cramer · 2016-04-11 12:28 · Score: 1
  
  It's hard to achieve perfection in an automated anti-spam system. Or would you rather have the listed-forever, extortion-esq system from SORBS? (the internet never forgets, or forgives)
Re:Unpossible! by inode_buddha · 2016-04-09 11:28 · Score: 1

Absolutely I agree with this -- and would like to add, firewalling outbound connects as well as the inbound

--
C|N>K
Re:Unpossible! by gweihir · 2016-04-09 12:51 · Score: 1

1. Look at the number of infections. A bit lower than typical Windows malware.
2. An idiot sysadmin can make Linux just as vulnerable as Windows. Linux with a competent sysadmin is in a completely different class than Windows.
But haters will hate, no matter the actual facts.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:it would help to know which distro by gweihir · 2016-04-09 12:54 · Score: 2

Indeed. And it would help even more if they told us how the machines were infected. As the number is quite low, I expect some configuration mistake that is not commonplace.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Unpossible! by Anonymous Coward · 2016-04-09 14:30 · Score: 1

Oh, puh-leez. Getting developers to learn to play nicely with SELinux is a chronic release repair task that has been far more expensive than losing an occassional spambot, especially if you block port 25 and port 587 outbound to go only to your designated local email server.
When SELinux breaks a release, I get screamed at. When spam gets out to somebody somewhere else, I can pretty safely ignore it and still get paid.
WordPress and Joomla by xiando · 2016-04-09 14:31 · Score: 3, Insightful

Now why am I not shocked these two pieces of spaghetti code were used as an attack vector? It's always important to lock down and isolate each /vhost/ but these who really exemplify why that is so important. Specially WordPress has been one huge security disaster after another.

--
9/11: Never forget it was a false-flag operation
1. Re:WordPress and Joomla by A+Pressbutton · 2016-04-10 02:22 · Score: 1
  
  Sir, you have been watching too much die hard.
2. Re:WordPress and Joomla by iggymanz · 2016-04-10 04:49 · Score: 1
  
  let's not leave out of discussion out the other piece of PHP poo, Drupal
3. Re:WordPress and Joomla by dbIII · 2016-04-11 00:25 · Score: 1
  
  Read the guys sig and follow the link. His mind does not dwell in reality and he's insulting everyone apart from the terrorists with the shit he's spewing.
Re:Unpossible! by techno-vampire · 2016-04-09 18:05 · Score: 1

I've been using SELinux for years, and I can't remember the last time I had an alert that wasn't caused by some badly-written program trying to do something it had no business doing. For that matter, it's been the best part of a year since I've had an alert. If you don't want to use it, that's up to you, but I'm happy to have it.

--
Good, inexpensive web hosting
Re:Unpossible! by donaldm · 2016-04-09 19:09 · Score: 2

Loonix is impervious to such things! Teh Open Sores was created by messiah Loonix Toreballs; and as a god, things with his name nevar have problems!
Ah! the troll is strong with this one. These aren't the Linux's you are looking for, move along.

--
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
Re:it would help to know which distro by donaldm · 2016-04-09 19:32 · Score: 1

Indeed. And it would help even more if they told us how the machines were infected. As the number is quite low, I expect some configuration mistake that is not commonplace.
That seems to be the problem and I struck this similar thing over 30 years ago. Basically it went like this "The sky if falling, everyone panic" and when asked the reply was "Oh that's a secret". It appears nothing has changed. Sigh!
Fortunately there are people who give these smug whistle blowers a binary four finger and tell every one.

--
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.