The new Linux malware, discovered by the security researchers from the antivirus provider Eset, has been dubbed "Mumblehard" because it is Muttering spam from your servers, says Eset 23-page long report (PDF) titled "Unboxing Linux/Mumblehard."
Researchers have logged more than 8,500 unique IP addresses during the seven months period of research that were hit by Mumblehard Linux malware and found over 3,000 machines joined them in the past three weeks.
Mumblehard features two basic components:
- Spamming daemon
Both written in the Perl programming language and "feature the same custom packer written in assembly language."
The backdoor allows hackers to infiltrate into the system and control the command and control servers, and the Spamming daemon is a behind-the-scenes process that focuses on sending large batches of spam emails from the infected servers.
The most worrying part of this campaign:
The Mumblehard operators have been active for over five years, and perhaps even longer, without any disruption.
"Malware targeting Linux and [OpenBSD] servers [are] becoming more and more complex," Eset researchers wrote. "The fact that the [malware creator] used a custom packer...is somewhat sophisticated."
However, it isn't "as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption."
Who is responsible for the spambot network?
The Mumblehard Linux malware actually exploits vulnerabilities in WordPress and Joomla content management systems in order to get into the servers.
Additionally, Mumblehard malware is also distributed by installing ‘pirated’ versions of a Linux and BSD program called DirectMailer, software developed by Yellsoft used for sending bulk e-mails and sold for $240 through the Russian firm's website.
So, when a user installs the pirated version of DirectMailer software, the Mumblehard operators gets a backdoor to the user's server that allows hackers to send spam messages.
How to prevent the threat?
Web server administrators should check their servers for Mumblehard infections by looking for the so-called unwanted cronjob entries added by the malware in an attempt to activate the backdoor every 15-minute increments.
The backdoor is generally located in the /var/tmp or /tmp folders. You can deactivate this backdoor by mounting the tmp directory with the noexec option.