Security experts at Russian Internet company Yandex have detected a new strain of malware dubbed Mayhem which is targeting server based on Linux and FreeBSD OSs.
The malware Mayhem was designed to infect servers running the popular distributions and use them as part of a botnet, even without the need of any root privileges.
Mayhem isn’t a totally new malware, it was first discovered in April 2014, and according to the experts at Yandex, it is linked to the “Fort Disco” brute-force campaign uncovered by Arbor Networks in 2013 that compromised more than 6000 websites based on popular CMSs.
Mayhem is considered a dangerous cyber threat, it has a modular structure which is able to load numerous payload to compromise targeted systems.
The attackers use a sophisticated PHP script to compromise the servers, it still has a low detection rate with the principal antivirus products on the market. Mayhem scans the internet searching for vulnerable servers, the rfiscan.so for example is used to discover servers hosting websites with a remote file inclusion (RFI) vulnerability, once the malware exploits an RFI it will run a PHP script on a victim.
The experts have discovered that more than 1,400 Linux and FreeBSD servers have been compromised worldwide, but it could be just the tip of the iceberg considering that Mayhem infects mainly those machines which are not updated with security. The majority of infected servers is located in the USA, Russia, Germany and Canada.
“In the *nix world, autoupdate technologies aren’t widely used, especially in comparison with desktops and smartphones. The vast majority of web masters and system administrators have to update their software manually and test that their infrastructure works correctly,”
“For ordinary websites, serious maintenance is quite expensive and often webmasters don’t have an opportunity to do it. This means it is easy for hackers to find vulnerable web servers and to use such servers in their botnets.” said the researchers in a technical report published by Virus Bulletin.
“As stated previously, the malware uses a hidden file system to store its files. The file system comprises a file that is created during the initialization. The filename of the hidden file system is defined in the configuration, but its name is usually ‘.sd0’. To work with this file system an open-source library ‘FAT 16/32 File System Library’,  is used. The library contains code to create and work with the FAT file system, but it is not used in the original form – some functions have been modified to support encryption. Every block is encrypted with 32 rounds of XTEA algorithm in ECB mode and the encryption key differs from block to block.
The hidden file system is used to store plug-ins and files with strings to process: lists of URLs, usernames, passwords, etc.” states and interesting report published by malwaremustdie.org.
The modular structure of Mayhem is alarming security experts which believe that bad actors behind the malicious campaign are developing new plugins to improve the botnet, according the researchers they have also found an exploit for the Heartbleed vulnerability.
Security Affairs – (Mayhem, Linux)