Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security Linux

Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines 180

An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.
This discussion has been archived. No new comments can be posted.

Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines

Comments Filter:
  • Who cares? (Score:5, Informative)

    by WombleGoneBad ( 2591287 ) on Saturday May 02, 2015 @04:04AM (#49599167)
    This isn't as interesting as it sounds (or have i misunderstood?) Basically, if you are a spammer, and download binaries of 'cracked' spamming software... surprise surprise, there is a back door in it that lets other spammers use your servers to spam. It is kinda interesting from a technical point of view (putting perl scripts into elf binaries) but the headline is very misleading, this is not a serious linux/bsd security issue.
    • Re: (Score:3, Funny)

      by Anonymous Coward

      Oh a denial, this is gonna hit +5 fast!

    • Re:Who cares? (Score:5, Informative)

      by CoderJoe ( 97563 ) * on Saturday May 02, 2015 @04:22AM (#49599207)

      "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

      So, not just from downloading the "cracked" mailer program.

      • by fisted ( 2295862 )
        So it's more of a serious joomla/wordpress security issue, right?
        • Re: (Score:2, Insightful)

          by KiloByte ( 825081 )

          Installing joomla/wordpress implies installing PHP, and that means your security is dead right there.

          • PHP, and that means your security is dead right there

            In theory, it should be possible to adopt good coding practices that leave out all the bad parts of PHP, in much the same way that Douglas Crockford recommends for JavaScript in his book JavaScript: The Good Parts. If you think the PHP interpreter inherently has poor security despite good coding practices, have you tried notifying the operators of Wikipedia?

            • by fisted ( 2295862 )
              The fact that you can go out of your way and produce "good" PHP code doesn't really make the language less shitty.

              My favorite analogy:

              Imagine you have uh, a toolbox. A set of tools. Looks okay, standard stuff in there.

              You pull out a screwdriver, and you see it’s one of those weird tri-headed things. Okay, well, that’s not very useful to you, but you guess it comes in handy sometimes.

              You pull out the hammer, but to your dismay, it has the claw part on both sides. Still serviceable though, I mean, you can hit nails with the middle of the head holding it sideways.

              You pull out the pliers, but they don’t have those serrated surfaces; it’s flat and smooth. That’s less useful, but it still turns bolts well enough, so whatever.

              And on you go. Everything in the box is kind of weird and quirky, but maybe not enough to make it completely worthless. And there’s no clear problem with the set as a whole; it still has all the tools.

              Now imagine you meet millions of carpenters using this toolbox who tell you “well hey what’s the problem with these tools? They’re all I’ve ever used and they work fine!” And the carpenters show you the houses they’ve built, where every room is a pentagon and the roof is upside-down. And you knock on the front door and it just collapses inwards and they all yell at you for breaking their door.

              That’s what’s wrong with PHP.

              (source [eev.ee])

              • by tepples ( 727027 )

                Then why for many years have shared web hosting providers acted so irresponsibly by selling hosting that allows the use of only such a shitty language? I've seen "PHP hosting $5/mo; Perl/Python hosting $10/mo" from some providers.

                • by fisted ( 2295862 )
                  That's probably because people want it, and web hosts would be quite a failure when not providing what the customer wants. Again, that doesn't make the language less shitty.
                  • by tepples ( 727027 )

                    Charging a premium for not-shitty languages encourages continued development of applications in the shitty language because site owners know they'll be able to get a discount by paying only for the use of the shitty language. Do you agree at least with this point? And what should have been done in the first place to discourage widespread use of the shitty language?

                    • by fisted ( 2295862 )

                      Charging a premium for not-shitty languages encourages continued development of applications in the shitty language because site owners know they'll be able to get a discount by paying only for the use of the shitty language. Do you agree at least with this point?

                      I sort of agree, but I think you're having it backwards. I don't think it's a premium on non-shitty languages, but rather a reduction in price on PHP hosting due to high demand.

                      And what should have been done in the first place to discourage widespread use of the shitty language?

                      Dunno, not have invented the www? I don't think there is or was anything one can or could have done about it.

                    • but rather a reduction in price on PHP hosting due to high demand

                      I thought "high demand" (movement of the demand curve to the right) caused an increase in price level, not a decrease. Are you claiming that the demand curve moved so much that hosting providers were able to build in enough economies of scale that they could move the supply curve so far to the right that it more than compensates for the increased demand? Or is there some particular shitty aspect inherent to PHP that happens to push its supply curve to the right?

    • Re:Who cares? (Score:5, Insightful)

      by ledow ( 319597 ) on Saturday May 02, 2015 @04:25AM (#49599213) Homepage

      It's not even very good.

      If you have noexec /tmp, it can't even start. That's been the default in almost every distro for years.

      And it's a random third-party binary. It's not like it got into package repositories or a major piece of software. Some cock downloaded a piece of malware, of his own accord, outside of package management on a Linux machine. And so few people did that, it wasn't even showing up on the radar.

      God, if I had a penny for every spam email sent from a compromised Windows computer that I've had brought to me and been asked to clean, I'd have earned more than a year's wages already.

    • It is kinda interesting from a technical point of view (putting perl scripts into elf binaries)

      If you find that interesting, you may also be interested in the VMWare install script, which starts as a shell script but has a compressed binary attached to the end.

      • by tlhIngan ( 30335 )

        If you find that interesting, you may also be interested in the VMWare install script, which starts as a shell script but has a compressed binary attached to the end.

        That's not interesting at all - there's something called a shell archive, or "shar" which is what it implies. GNU has "sharutils" which is used to create and extract files from shar files (or you can run the script - it IS just a regular shell script).

        The benefit is, of course, you can embed a binary inside it and it self-extracts, and is trans

  • by DougPaulson ( 4034537 ) on Saturday May 02, 2015 @04:05AM (#49599173)
    "Perl code packed inside ELF binary .. The Perl spammer .. The spamming daemon is also written in Perl and packed inside an ELF binary"

    OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?
    • by CoderJoe ( 97563 ) * on Saturday May 02, 2015 @04:20AM (#49599201)

      TFA: "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

      • Re: (Score:2, Funny)

        by Anonymous Coward

        It's as good as fact, then. Oh, wait, remember a few years back when that powerful country sold a war to the world because they *believed* a country was harboring powerful weapons? It turned out they were wrong.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          No, it turned out they where lying.

        • by gmack ( 197796 )

          It wouldn't be the first time I've seen malware installed via compromised wordpress. Wordpress has had more than a few vulnerabillities over the years and most people who install it just forget about it after and never install security updates. To top it off, wordpress has a web accessible world writeable folder so any exploit easily becomes shell level access.

          On the plus side, most of the spammers never even try to gain root.

    • by dbIII ( 701233 ) on Saturday May 02, 2015 @04:25AM (#49599215)

      OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?

      Via greed driving user interaction in the hope of a "free lunch". From the article:

      The price of the software is $240, but interestingly enough, there is a link to a site offering a "cracked" version of DirectMailer. ... The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.

      So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.

      • So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.

        They're feeding on them for the purpose of sending still more spam, and meanwhile, the software will send out the spam the spammers are actually intending to send out. So, if you give them a medal, be sure to accelerate it appropriately in the process.

  • Not so uncommon (Score:5, Insightful)

    by vga_init ( 589198 ) on Saturday May 02, 2015 @04:27AM (#49599217) Journal

    These PEBKAC exploits happen more often than you might think on Linux

    • Re:Not so uncommon (Score:4, Insightful)

      by Anonymous Coward on Saturday May 02, 2015 @04:38AM (#49599233)

      Ayup. At one time, I had a nice business fixing compromised Linux web servers. If you run a web thing, then you have to watch port 25 for crap, since sooner or later, some luser will think that it is kewl to use a four letter password and then the SSH or FTP server will be breached by a script kiddie.

      • by tepples ( 727027 )

        Shouldn't the web server be submitting messages through TCP port 587 (SMTP message submission with authentication) out to a dedicated mail server?

  • by burni2 ( 1643061 ) on Saturday May 02, 2015 @04:28AM (#49599221)

    And removing the "text extending babbel":

    1.) Don't get a pirated copy of "DirectMailer" - because it's infected and will trojanise your server.

    2.) keep your server and especially it's services updated - check your Joomla and Wordpress installation - and additionally to that the themes you installed.

    - the white paper says that the researchers think that these were the most likely vectors

    - the article puts faith on the thoughts of the researchers

    Translation:
    The infected server were so extremely outdated that the researchers didn't know where to start to search. Some believe to have seen active kernel versions dating back to 2000 and even further and surrendered the computers to archeologists to study ancient server setups.

    3.) an antivirus on freebsd or linux system is pratically useless in detecting recent malware - they need at least 5 yrs. of cultivation

    On windows the infection base is much greater. However the idea of "quarantining" software of problematic origin for a certain period of time and early virustotalling it, should be considered.

    lesson: no cracked software on linux/freebsd system

  • It's not like the script can run without the interpreter. Even if you were stupid enough to mount /tmp other than noexec (the default).

  • I've got three servers that I maintain; four if you count my workstation. They all run Ubuntu Linux 14.04.

    What is top in my mind is DETECTION. How to tell if Mublehard has infected us. If it has I must can go in person and re-install all the systems from scratch. But I'm not going to spend several nights on the bus until I get a YES or NO. Perhaps Yellsoft sells a Mumblehard detector, ha ha?

  • by X.25 ( 255792 ) on Saturday May 02, 2015 @06:52AM (#49599449)

    This "article" is beyond retarded.

  • by Anonymous Coward on Saturday May 02, 2015 @07:31AM (#49599525)

    this malware is pretty unix-y about the way it does things. its small, does few things and does them efficiently.
    The author should be complemented on his adherence to the unix philosophy. Even his social engineering campaign is that way.

    Functionality wise, an equal malware executable on windows would be megabytes in size and be installed as a service :D

  • /. announced OpenBSD 5.7 the other day and the usual crowd came out to say, "so what", and "nobody uses it", etc. Well, this is why it has fans. Yes, yes, there were Linux and FreeBSD machines run well enough to be proof against this exploit...it's that OpenBSD machines tend to be safe out of the box and you have to make a real effort to de-secure them.

    • I just keep finding that it doesn't support the hilariously ubiquitous hardware that I want to run it on, stuff that is agonizingly well-supported and -documented on Linux. I bought a CD and a Tee Shirt and then it shit all over itself trying to just deliver packets reliably between four eepro100s and then I gave up and went back to Linux and haven't regretted it since.

      Maybe someday the PC hardware landscape will simplify to the point that OpenBSD can support a significant percentage of it, and then I'll gi

If it is a Miracle, any sort of evidence will answer, but if it is a Fact, proof is necessary. -- Samuel Clemens

Working...