Mayhem malware ropes Linux, UNIX servers into botnets
Posted on 18.07.2014
A new malware that researchers have dubbed Mayhem is being used to target Linux and Unix web servers and has so far compromised over 1,400 Linux and FreeBSD servers around the world, warn researchers from Russian Internet giant Yandex.


Mayhem has the functions of a traditional Windows bot, but doesn't need root access to make use of them. The malware is modular, and can be likely made to do a number of things, but the current version can:
  • Find websites that contain a remote file inclusion (RFI) vulnerability
  • Enumerate users of WordPress sites
  • Identify user login pages in sites based on the WordPress CMS
  • Brute force passwords for sites based on the WordPress and Joomla CMSs
  • Brute force passwords for almost any login page
  • Brute force FTP accounts
  • Crawl web pages (both by URL and IP) and extract useful information.
During their investigation, the researchers also discovered that Mayhem is a continuation of the Fort Disco brute-force campaign unearthed by Arbor ASERT in August 2013.

"Initially, the piece of malware appears as a PHP script," the researchers shared. "After execution, the script kills all ‘/usr/bin/host’ processes, identifies the system architecture (x64 or x86) and system type (Linux or FreeBSD), and drops a malicious shared object named ‘libworker.so’."

New variables, scripts and tasks are created, functions executed and processes run (for in-depth details check out the researchers' paper at Virus Bulletin), and the malware contacts the C&C server in order to send the host's system information and receive instructions on what to do next.

The researchers managed to gain access to two of the three C&C servers used to manage the botnet, and have discovered that those two control about 1,400 bots, most of which were used to brute force WordPress passwords.

"During our analysis, we found some common features shared between Mayhem and some other *nix malware. The malware is similar to ‘Trololo_mod’ and ‘Effusion’ – two injectors for Apache and Nginx servers respectively," they noted, and add that despite a lack of evidence, they suspect that all these malware families were developed by the same gang.

Yandex researchers weren't the first ones to have detected and analyzed Mayhem - the Malware Must Die team has spotted it nearly a month earlier. Both teams researched the malware independently.

Yandex researchers attribute the rising popularity of botnets made up of *nix web servers to several factors: Web servers are more powerful than ordinary personal computers and have good uptime; its admins usually update the software manually and irregularly, allowing attackers to find and exploit vulnerabilities; and Web server botnets are perfect for earning criminals money off of traffic redirection, drive-by download attacks, black hat SEO, and so on.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //