Mayhem has the functions of a traditional Windows bot, but doesn't need root access to make use of them. The malware is modular, and can be likely made to do a number of things, but the current version can:
- Find websites that contain a remote file inclusion (RFI) vulnerability
- Enumerate users of WordPress sites
- Identify user login pages in sites based on the WordPress CMS
- Brute force passwords for sites based on the WordPress and Joomla CMSs
- Brute force passwords for almost any login page
- Brute force FTP accounts
- Crawl web pages (both by URL and IP) and extract useful information.
"Initially, the piece of malware appears as a PHP script," the researchers shared. "After execution, the script kills all ‘/usr/bin/host’ processes, identifies the system architecture (x64 or x86) and system type (Linux or FreeBSD), and drops a malicious shared object named ‘libworker.so’."
New variables, scripts and tasks are created, functions executed and processes run (for in-depth details check out the researchers' paper at Virus Bulletin), and the malware contacts the C&C server in order to send the host's system information and receive instructions on what to do next.
The researchers managed to gain access to two of the three C&C servers used to manage the botnet, and have discovered that those two control about 1,400 bots, most of which were used to brute force WordPress passwords.
"During our analysis, we found some common features shared between Mayhem and some other *nix malware. The malware is similar to ‘Trololo_mod’ and ‘Effusion’ – two injectors for Apache and Nginx servers respectively," they noted, and add that despite a lack of evidence, they suspect that all these malware families were developed by the same gang.
Yandex researchers weren't the first ones to have detected and analyzed Mayhem - the Malware Must Die team has spotted it nearly a month earlier. Both teams researched the malware independently.
Yandex researchers attribute the rising popularity of botnets made up of *nix web servers to several factors: Web servers are more powerful than ordinary personal computers and have good uptime; its admins usually update the software manually and irregularly, allowing attackers to find and exploit vulnerabilities; and Web server botnets are perfect for earning criminals money off of traffic redirection, drive-by download attacks, black hat SEO, and so on.