Home » News Stories » Linux's Mumblehard Affected Servers

News Stories

Job Search


Back to News »

Linux's Mumblehard Affected Servers

Share this:
digg it  | kickit | Email it | | reddit | liveIt
Subscribe to IrishDev News RSS 
DateWednesday, May 06, 2015
AuthorMarc-Etienne M.Léveillé, ESET / Edited Leonid Botnarenko

Linux's Mumblehard Affected Servers

ESET Researchers Reveal a Family of Linux Malware Mumblehard That Seems to Send Spam Messages

ESET, discovered Linux malware named Linux/Mumblehard. During the first week of April, more than 3,000 machines were affected by Mumblehard. Antivirus and threat protection company, ESET (@ESET), has uncovered a family of Linux malware named Linux / Mumblehard that has, according to the company, stayed under the radar for more than 5 years, targeting mainly web servers.



Thousands of computers and web servers running Linux and FreeBSD operating systems have been infected over past five years with sophisticated malware that turn the machines into spambots. ESET's researchers discovered Mumblehard after being contacted by a system administrator who sought assistance for a server that was added to a public security blacklists for sending spam. The researchers identified and analyzed a process that was causing the server to connect to different SMTP servers and send spam.


ESET then monitored the Mumblehard backdoor component by registering a domain name used as one of the C&C servers. More than 8,500 unique IP addresses hit the sinkhole with Mumblehard behavior while requests were being observed. During the first week of April, more than 3,000 machines were affected by Mumblehard.



The discovery is reminiscent of Windigo, a separate spam botnet made up of 10,000 Linux servers that ESET discovered 14 months ago. The number of infected hosts is slowly decreasing, but the overall view shows that infection happens at specific times and that the botnet size has doubled over a 6-month period.


ESET Researchers wrote: "Malware targeting Linux and BSD servers is becoming more and more complex. The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption."



The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail. These two main components are written in Perl and they're obfuscated inside a custom "packer" that's written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on.



ESET researchers still aren't certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Additionally, Mumblehard malware is also distributed by installing ‘pirated' versions of a Linux and BSD program called DirectMailer, software developed by Yellsoft. So, when a user installs the pirated version of DirectMailer software, the Mumblehard operators gets a backdoor to the user's server that allows hackers to send spam messages.



The almost 9,000 IP addresses Eset observed can't be directly correlated to the number of machines that were infected by Mumblehard, since in some cases more than one server may share an address and in other cases a single server may give up an old address and take up a new one. Still, the number is a strong indication that several thousand machines were affected during the seven months ESET monitored the malware.



To prevent the threat web server administrators should check their servers for Mumblehard infections by looking for the so-called unwanted cronjob entries added by the malware in an attempt to activate the backdoor every 15-minute increments. The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.





Coworking Space in Dublin city centre for tech startups and freelancers - tcube dublin



Who Is Marc-Etienne M.Leveille


Related ESET News


Next Story Logentries Launch Out-of-the-Box for Heroku


Previous Story Garda's Finger Off the Pulse




Corporate Information


Download ESET Mumbleheard Report


Visit Linux



Get Instant Irish Tech News Updates on our Social Channels....

Join at Facebook Join at LinkedIn Follow IrishDevdotcom on Twitter



Got a Story – Share it with the Irish Software Community – Email us at

Back to News »
digg it  | kickit | Email it | | reddit | liveIt | RSS
Low Cost, No Frills Coworking and Hotdesks
Unix Tutorials