Linux and BSD web servers are at risk of sophisticated Mumblehard infection, warns ESET in its in-depth technical research paper, titled “Unboxing Linux/Mumblehard – Muttering Spam for your Servers.”
The primary purpose of the Mumblehard malware is to use infected systems for spamming bots.
“We were able to identify victimised system and began the process of notifying its owners,” said Lead ESET security researcher Marc-Etienne M. Léveillé. “This is not trivial, as we identified over 8500 unique IP addresses during 7 month research period! Now that the technical details about the threat are public, it will be easier for the victims to understand what they face and clean their servers.”
ESET researchers say the malware is made up of two different components. Exploiting vulnerabilities in Joomla and WordPress, the first component is a generic backdoor that requests commands from its Command and Control server. The second component is a full-featured spammer daemon that is launched via a command received by the backdoor.
Mumblehard is also distributed via ‘pirated’ copies of a Linux and BSD program known as DirectMailer, software sold on the Yellsoft website for $240. “Our investigation showed strong links with a software company called Yellsoft,” explained Léveillé. “Among other discoveries, we found that IP addresses hard-coded in the malware are closely tied to those of Yellsoft,” explained Léveillé.
ESET reminds web administrators to ensure that web servers operating system and applications are kept up to date with patches as well as running reputatable security software such as ESET Server Security.