Featured news
Mayhem has the functions of a traditional Windows bot, but doesn't need root access to make use of them. The malware is modular, and can be likely made to do a number of things, but the current version can:
- Find websites that contain a remote file inclusion (RFI) vulnerability
- Enumerate users of WordPress sites
- Identify user login pages in sites based on the WordPress CMS
- Brute force passwords for sites based on the WordPress and Joomla CMSs
- Brute force passwords for almost any login page
- Brute force FTP accounts
- Crawl web pages (both by URL and IP) and extract useful information.
"Initially, the piece of malware appears as a PHP script," the researchers shared. "After execution, the script kills all ‘/usr/bin/host’ processes, identifies the system architecture (x64 or x86) and system type (Linux or FreeBSD), and drops a malicious shared object named ‘libworker.so’."
New variables, scripts and tasks are created, functions executed and processes run (for in-depth details check out the researchers' paper at Virus Bulletin), and the malware contacts the C&C server in order to send the host's system information and receive instructions on what to do next.
The researchers managed to gain access to two of the three C&C servers used to manage the botnet, and have discovered that those two control about 1,400 bots, most of which were used to brute force WordPress passwords.
"During our analysis, we found some common features shared between Mayhem and some other *nix malware. The malware is similar to ‘Trololo_mod’ and ‘Effusion’ – two injectors for Apache and Nginx servers respectively," they noted, and add that despite a lack of evidence, they suspect that all these malware families were developed by the same gang.
Yandex researchers weren't the first ones to have detected and analyzed Mayhem - the Malware Must Die team has spotted it nearly a month earlier. Both teams researched the malware independently.
Yandex researchers attribute the rising popularity of botnets made up of *nix web servers to several factors: Web servers are more powerful than ordinary personal computers and have good uptime; its admins usually update the software manually and irregularly, allowing attackers to find and exploit vulnerabilities; and Web server botnets are perfect for earning criminals money off of traffic redirection, drive-by download attacks, black hat SEO, and so on.
Follow @zeljkazorz
Spotlight
Researchers map out hard-to-kill, multi-layered spam botnet
A dropper component sent to the Akamai researchers led them to the discovery of a spamming botnet that consists of at least 83,000 compromised systems.
Open source KeeFarce tool loots encrypted passwords stored in KeePass
A researcher with security consultancy Security-Assessment.com has released the source code for KeeFarce, a tool that can export all information stored in the database of a user's KeePass password manager.
Nearly 2% of all smartphones are compromised or high risk
Risks increase over time. In one month, about 22 percent of devices will encounter network threats, with that number jumping to 40 percent over the following three months. The majority of devices are not equipped to fight these threats.
US DOJ admits that Stingrays can be used to intercept call and SMS content
The American Civil Liberties Union of Northern California has emerged victorious and has been given access to documents that spell out the details about the US federal government’s use of Stingrays surveillance devices.
New DDoS attacks misuse NetBIOS name server, RPC portmap, and Sentinel licensing servers
Akamai has observed three new reflection DDoS attacks in recent months: NetBIOS name server reflection, RPC portmap reflection, and Sentinel reflection.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.
