Security researchers and law enforcement have joined forces to dismantle the Mumblehard Linux botnet.
A year after it published its first findings on the botnet, Eset claimed it had partnered with Ukrainian cyber police and security firm CyS Centrum to dismantle the infrastructure. It stopped sending spam as of 29 February, malware researcher Marc-Etienne M.Leveille wrote in a blog post.
“Eset is operating a sinkhole server for all known Mumblehard components,” he wrote. “We are sharing the sinkhole data with CERT-Bund, which is taking care of notifying the affected parties around the world through their national CERTs.”
After the publication of Eset’s first report, the cyber-criminals behind the botnet apparently removed all domains and IP addresses from the list of C&C servers in the malware which were not under their control.
“With only one IP address acting as the C&C server for the Mumblehard backdoor and no fallback mechanism, a takeover of that IP address would suffice to stop the malicious activities of this botnet,” said Eset.
“We decided to take action and contacted the relevant authorities to make things happen.”
After querying the C&C server for information, the team found several control panels designed to make management of the spam botnet easier – written, like other components of Mumblehard, in Perl.
Although some of the victims had been compromised through an unpatched CMS like WordPress or Joomla, that wasn’t the initial attack vector.
“The scripts we found were only to be run where PHP shells had already been installed,” explained Eset. “Perhaps Mumblehard’s operators were buying access to these compromised machines from another criminal gang?”
Mumblehard appears to have been a fairly sophisticated operation, monitoring the Spamhaus Composite Blocking List for the IP addresses of all spam bots and requesting the delisting of any blacklisted ones.
“Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn’t work) was used to break the protection,” Eset claimed.
Further, all C&C activity which required contacting a remote host was performed via proxies located in over 60 different countries, masking its true source.
Almost 4000 Linux systems had apparently been compromised by the time of Mumblehard’s shutdown in February.
“Mumblehard might not be the most prevalent, the most dangerous or the most sophisticated botnet out there, but shutting it down is still a step in the right direction and shows that security researchers working with other entities can help reduce the impact of criminal activity on the internet,” the vendor concluded.