A new malware that runs on UNIX-like servers even with restricted privileges has already infected machines in Australia and is actively hunting for more targets, a new research paper has shown.
Three researchers from Russian web provider Yandex – Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov – said in the technical analysis of the malware, on security and anti-virus specialist publication Virus Bulletin, that Mayhem functions like a traditional Windows bot.
The infection of websites and even entire web servers has become common. Usually such infections are used for stealing traffic, black hat SEO, drive-by download attacks, and so on, and in the vast majority of cases this kind of malware comprises relatively simple PHP scripts. But in the last two years, several more sophisticated malware families have been discovered. Mayhem is a multi-purpose modular bot for web servers. Our team studied the bot in order to gain an understanding not only of the client part of the malware, but also some of its command and control (C&C) servers, allowing us to collect some statistics.
This article should be considered as an addition to the one published by the Malware Must Die team . We faced the Mayhem bot in April 2014, and this paper is a result of our own independent research.  is the only other publication on Mayhem we’ve found. During our research, we also discovered that Mayhem is a continuation of a bigger ‘Fort Disco’ brute-force campaign, disclosed in .