Undiscovered Malware Turns Linux And BSD Servers Into Spamming Botnets

Researchers from security outfit ESET discovered that several thousand servers running Linux and BSD have unwittingly been sending out spam as a result of a previously undiscovered malware infection. This has been going on for more than 5 years, as the malware was able to stay hidden all this time due to its sophistication and because the spammers haven't been constantly infecting new machines.

"We were able to identify victimized system and began the process of notifying its owners," said Lead ESET security researcher Marc-Etienne M. Léveillé. "This is not trivial, as we identified over 8500 unique IP addresses during 7 month research period! Now that the technical details about the threat are public, it will be easier for the victims to understand what they face and clean their servers."

Spam Linux
Image Source: Flickr (Christian Barmala)

The researchers sort of stumbled onto the scheme when they found a piece of malware on a server that was blacklisted for sending spam. Dubbed "Mumblehard," the malware consists of a generic backdoor that contacts its Command and Control (C&C) server to download a spammer component and general purpose proxy.

After doing a bit of investigating, researchers found that the malware was tied to a company called Yellsoft, which sells DirectMailer, a "system for automated email distribution" that allows users to send anonymous email. DirectMailer is written in Perl and runs on UNIX-type systems, just like Mumblerhard.

The software runs $240, though interestingly enough the developers provide a link to a site that offers a cracked copy, noting that they don't provide technical support for pirated copies. However, the fact that they're linking to the cracked copy is downright shady.

ESET's researchers confirmed that the cracked copy contains the Mumblehard backdoor -- once installed, the operations are able to send spam from and proxy traffic through the infected system. It's not known if the paid version also contains malware.

Show comments blog comments powered by Disqus