Security experts have shut down a spam botnet, known as Mumblehard, composed of more than 4,00o Linux machines.
In May 2015, researchers from ESET revealed the sophisticated Mumblehard spamming malware infected thousands of Linux and FreeBSD servers going under the radar for at least five years.
The infected machines were part of a botnet used, in the preceding five years, to run spam campaign, a version of the Mumblehard malware was uploaded for the first time to the VirusTotal online malware checking service in 2009.
At that time, security experts at ESET have monitored the botnet during the previous 7 months by sinkholing one of its C&C servers and observing 8,867 unique IP addresses connected to it, with 3,000 of them joining in the past three weeks.
Today the botnet was dismantled, the experts speculate that operators behind the Mumblehard botnet are highly skilled developers that designed a custom “packer” to conceal the Perl-based source code that made it run, a backdoor, and a mail daemon that was able to send large volumes of spam messages.
The experts that accessed the C&C infrastructure used for the Mumblehard botnet, discovered an interesting automatic delisting mechanism from Spamhaus’ Composite Blocking List (CBL)
“Another interesting aspect of the Mumblehard operation revealed by our access to the C&C server was the automatic delisting from Spamhaus’ Composite Blocking List (CBL).” reported a blog post published by ESET. “There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots. If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn’t work) was used to break the protection.”
Estonian law enforcement and an industry partner to shut down the Mumblehard botnet, a complex operation conducted by “sinkholing” the control infrastructure.
In February the experts took control of the Internet address belonging to the command server, by analyzing the incoming traffic they were able to estimate that the malicious infrastructure was composed at least of 4,000 machines.
Despite the researchers shut down the botnet, they are still investigating how the attackers composed a so large infrastructure. The researchers initially suspected that attackers compromised websites running WordPress CMS, but further analysis excluded this hypothesis.
“We knew some of the victims had been compromised through an unpatched CMS such as WordPress or Joomla, or one of their plugins. Forensic analysis of the C&C server suggests that computers running the Mumblehard bot agents were not initially compromised from that specific server.” states the report.
“The scripts we found were only to be run where PHP shells had already been installed. Perhaps Mumblehard’s operators were buying access to these compromised machines from another criminal gang?”
(Security Affairs – Mumblehard botnet, malware)