Mayhem Malware is targeting Linux and FreeBSD servers

Pierluigi Paganini July 25, 2014

A security team at Russian Internet firm Yandex has identified a botnet based on a malware dubbed Mayhem which is targeting Linux and FreeBSD web servers.

Security experts at Russian Internet company Yandex have detected a new strain of malware dubbed Mayhem which is targeting server based on Linux and FreeBSD OSs. 

Yandex is a Russian company which operates the largest search engine in Russia with about 60% market share in that country.

The malware Mayhem was designed to infect servers running the popular distributions and use them as part of a botnet, even without the need of any root privileges.

Mayhem isn’t a totally new malware, it was first discovered in April 2014, and according to the experts at Yandex, it is linked to the “Fort Disco” brute-force campaign uncovered by Arbor Networks in 2013 that compromised more than 6000 websites based on popular CMSs.

Mayhem is considered a dangerous cyber threat, it has a modular structure which is able to load numerous payload to compromise targeted systems.

Mayhem console

Mayhem could be improved loading new plugins, security experts have discovered only the following eight malicious payload at the moment:
  • rfiscan.so – Find websites that contain a remote file inclusion (RFI) vulnerability
  • wpenum.so – Enumerate users of WordPress sites
  • cmsurls.so – Identify user login pages in sites based on the WordPress CMS
  • bruteforce.so – Brute force passwords for sites based on the WordPress and Joomla CMSs
  • bruteforceng.so – Brute force passwords for almost any login page
  • ftpbrute.so – Brute force FTP accounts
  • crawlerng.so – Crawl web pages (by URL) and extract useful information
  • crawlerip.so – Crawl web pages (by IP) and extract useful information

The attackers use a sophisticated PHP script to compromise the servers, it still has a low detection rate with the principal antivirus products on the market.  Mayhem scans the internet searching for vulnerable servers, the rfiscan.so for example is used to discover servers hosting websites with a remote file inclusion (RFI) vulnerability, once the malware exploits an RFI it will run a PHP script on a victim.

The PHP script kills all ‘/usr/bin/host’ processes, analyzes the machine of the victim and then drops a malicious payload identified as ‘libworker.so’.

The experts have discovered that more than 1,400 Linux and FreeBSD servers have been compromised worldwide, but it could be just the tip of the iceberg considering that Mayhem infects mainly those machines which are not updated with security. The majority of infected servers is located in the USA, Russia, Germany and Canada.

According to three security experts at Yandex, Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, Mayhem is targeting *nix servers, the experts have identified it monitoring the  They were able to trace connection from the infected machines to two command and control (C&C) servers used by the bad actors.

In the *nix world, autoupdate technologies aren’t widely used, especially in comparison with desktops and smartphones. The vast majority of web masters and system administrators have to update their software manually and test that their infrastructure works correctly,

For ordinary websites, serious maintenance is quite expensive and often webmasters don’t have an opportunity to do it. This means it is easy for hackers to find vulnerable web servers and to use such servers in their botnets.” said the researchers in technical report published by Virus Bulletin.

One of the most interesting features implemented by Mayhem malware is the use of a hidden file system, aka sd0,  to store plug-ins and files in encrypted format.

“As stated previously, the malware uses a hidden file system to store its files. The file system comprises a file that is created during the initialization. The filename of the hidden file system is defined in the configuration, but its name is usually ‘.sd0’. To work with this file system an open-source library ‘FAT 16/32 File System Library’, [8] is used. The library contains code to create and work with the FAT file system, but it is not used in the original form – some functions have been modified to support encryption. Every block is encrypted with 32 rounds of XTEA algorithm in ECB mode and the encryption key differs from block to block.

The hidden file system is used to store plug-ins and files with strings to process: lists of URLs, usernames, passwords, etc.” states and interesting report published by malwaremustdie.org.

The modular structure of Mayhem is alarming security experts which believe that bad actors behind the malicious campaign are developing new plugins to improve the botnet, according the researchers they have also found an exploit for the Heartbleed vulnerability.

“They also found a number of plug-ins that have yet to be seen in the wild, including one that exploits the Heartbleed vulnerability in OpenSSL.”

Pierluigi Paganini

Security Affairs –  (Mayhem, Linux)



you might also like

leave a comment