HKCert
Security Blog

Linux/BSD Malware 'Mumblehard' Detection and Cleanup

Release Date: 06 / 05 / 2015
Last Update: 06 / 05 / 2015

(Image created by Cypher789: http://commons.wikimedia.org/wiki/File:Spam_2.jpg)

 

 

HKCERT has received reports about Linux servers in Hong Kong infected with Mumblehard malware, which can turn your server into a bot sending spam. HKCERT will notify ISP the affected IP addresses. You can detect and clean up your server with the information provided in this article.

 

1. Background

At the end of April 2015, security vendor ESET has released a report about a spam sending bot malware Mumblehard. According to the report, the malware is packed in ELF binary format and targets Linux or BSD system. Over 3,000 servers have been infected worldwide, of which 31 are located in Hong Kong. The malware and its command and control (C&C) server has been active for at least 5 years.

 

2. Impact of Mumblehard malware

  • Servers infected with the malware will open backdoor to communicate with the malware C&C server, which will tell the servers to send mass spam email.
  • If your server happens to be a mail server, it will probably be blacklisted by other mail servers.
  • Since it is believed that the victims were infected through WordPress and Joomla exploits, your web server may also be vulnerable to other exploits (e.g. Joomla brobot DDoS malware).

 

3. How to detect and remove Mumblehard malware

If you suspect that your server was infected by Mumblehard malware, please check and clean your server according to the following steps:

  • Check and remove any suspicious cron tasks for all users in the server, since the malware is activated through cron tasks every 15 minutes.
  • The malware executable is located in /tmp or /var/tmp, please check and remove any suspicious files inside. You may also consider mounting /tmp directory with noexec option.
  • Patch WordPress and Joomla if they are also installed in the server.
  • According to ESET, the vendor of the DirectMailer software may be linked to the Mumblehard campaign. Remove the software if you have installed it.

 

4. Reference

  1. http://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/
  2. [PDF] http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf
  3. http://www.virusradar.com/en/Linux_Mumblehard/detail
  4. http://www.scmagazine.com/linux-malware-mumblehard-has-spamming-feature-backdoor-component/article/412561/