Mumblehard--Let's End Its Five-Year Reign

Linux has a well deserved reputation as being one of the most secure platforms for individuals and businesses. This is largely due to the way security is integrated into the system, but there is a great risk in being too complacent. Recent events serve to remind us that there is no such thing as an uncrackable system.

In this case, the culprit is a trojan known as Mumblehard, and it has been hitting Linux and BSD Web servers hard. The Mumblehard trojan has a specific purpose: to turn a Web server into a zombie relay for spam e-mail, usually for pharmaceutical goods--yep, Viagra spam.

This hurts Web site owners in several ways:

  1. They must pay for the bandwidth consumed by the spam.
  2. They run the risk of having their domain and IP blacklisted by spam filters, which can prevent their legitimate e-mail from being delivered.

Mumblehard was discovered by security firm ESET, who has published its findings in a white paper (available at http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf). ESET originally discovered the infection when investigating the case of a server that had been blacklisted for spam activities.

The most alarming aspect of Mumblehard is that is has been operating undetected for at least five years. ESET learned that fragments of the malware had been discovered by the VirusTotal on-line service in March 2009.

Botnets are not new, but they usually are detected more quickly. Factors like the rate of infection and the way infected computers are exploited make them easy to detect. The developers of Mumblehard have been much more cautious, slowly infecting targets and using only a little of each host's available bandwidth.

Mumblehard has an unusual anatomy. It's written in Perl code, but then it's packed into an ELF binary executable. Analysis shows that these ELF libraries were written in assembly (as opposed to compiled). This strange method of hiding Mumblehard is the factor that originally interested ESET's researchers and led them to investigate it in detail.

Mumblehard has two components. First there is a backdoor, which runs via a cron task. This component contacts a "Command and Control" server and downloads a file to execute--it polls a list of servers every 15 minutes. It reports the results of the job to all the servers on the list.

The commands are cleverly hidden in the HTTP header, disguised as an innocent PHP session cookie. In actual fact, the "session id" is a hex-encoded URL for the command file (the white paper covers the full details).

The next component of Mumblehard is a mail spam daemon, also written in Perl. It also requests jobs from the Command and Control servers, and either sends e-mail messages directly or sets itself up as an e-mail proxy.

Currently, the source of the attacks has not been absolutely proven. However, there are several suspicious connections to Yellsoft, a Russian firm that specializes in bulk e-mail software called DirectMailer. First, the trojan component is present in pirated versions of Yellsoft's DirectMailer program. Second, the "Command and Control" servers used to control the botnet are hosted in the same IP block as Yellsoft's official Web site.

Compounding the suspicion is the fact that Yellsoft links to the pirated version on its own site. To say that this is unusual behavior for a commercial software company is an understatement!

Following the white paper's publication, Yellsoft's site has gone off-line.

The cracked version of DirectMailer is not the only infection vector. WordPress and Joomla exploits also were used to infect Web servers.

The infection can be detected by checking for unexpected cron tasks. In all cases, these tasks were set to run once every 15 minutes.

The Mumblehard executable was located within the /tmp or /var/tmp directories on all infected servers and was executed via cron.

The current advice is to remove unauthorized cron jobs, clean the infected files from /tmp (or /var/tmp) and get rid of any infected files (such as the cracked DirectMailer).

As the infection can be spread through WordPress and Joomla exploits, updating these packages to the latest version to prevent re-infection also is recommended.

______________________