Unnoticed for years, malware turned Linux and BSD servers into spamming machines

Sun May 3 22:31:32 UTC 2015

Nothing new, not even OS-specific. This is what happens when
stupidity gets access to Internet-facing computers.

On Sun, 3 May 2015 12:38:24 -0400, Jerry wrote:
> Has anyone else seen this:
> 
> Unnoticed for years, malware turned Linux and BSD servers into spamming machines
> 
> http://www.net-security.org/malware_news.php?id=3030

Because it's common practice to install "pirated copies" of
software on BSD and Linux servers. :-)

Still strange:

	ESET researchers say the malware is made up of two
	different components. Exploiting vulnerabilities
	in Joomla and Wordpress, the first component is a
	generic backdoor that requests commands from its
	Command and Control server. The second component
	is a full-featured spammer daemon that is launched
	via a command received by the backdoor. Mumblehard
	is also distributed via 'pirated' copies of a Linux
	and BSD program known as DirectMailer, software sold
	on the Yellsoft website for $240.

	"Our investigation showed strong links with a software
	company called Yellsoft," explained Léveillé.  "Among
	other discoveries, we found that IP addresses hard-coded
	in the malware are closely tied to those of Yellsoft,"
	explained Léveillé.

Source:

http://www.eset.com/int/about/press/articles/malware/article/linux-and-bsd-web-servers-at-risk-of-sophisticated-mumblehard-infection-says-eset/

Further reading keywords: mumblehard, joomla, wordpress. That,
in combination with knowledge about the "noexec" mount option,
should be interesting. :-)

You can easily conclude that it requires a skilled admin to
operate an Internet-facing server system. The "out of the box
experience", combined with "I don't need to know how this
works", plus "I don't care" (today's common "Windows" mindset)
will lead to problems. Especially an open operating system like
Linux or BSD provides you with tools to do your work properly.
You can examine everything. If you refuse to do it - it's
entirely your problem (or that of your trustful customers).
Don't get me started about installing PHP bloatware... :-)

When "wget http://app.example.com/install.sh | sudo bash" and
running arbitrary binary software "stolen" somewhere from the
Internet is being performed by a "responsible" person, it's
probably the best time to fire that person. "The trojan is often
included in the installation packages of programs downloaded
from untrustworthy sources." No big deal. In this case, it
seems (if I understood the few information presented correctly)
that a cracked installer installs both the "DirectMailer" and
the backdoor (to be run in userspace). But it's also possible
that weak passwords, open FTP access or other "problems" could
lead to an infection.

And 3000 out of 300 million servers worldwide... well, I think
this is _no_ relation to spamming botnets build with "Windows".

Also see § 5.1 here:

http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf

Don't die while laughing. :-)

-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...