Unnoticed for years, malware turned Linux and BSD servers into spamming machines

“For over 5 years, and perhaps even longer, servers around the world running Linux and BSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found.

What’s more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a “system for automated e-mail distribution” that allows users to send out anonymous email.

This operation succeeded in remaining hidden for so long thanks to several factors: the sophistication of the malware used, its stealth and persistence, the fact the spammers aren’t constantly infecting new machines, and that each of the infected machines wasn’t made to blast out spam all the time.

The researcher began their investigation with a piece of malware they found on a server that was blacklisted for sending spam. They dubbed it Mumblehard. After analyzing it, they found that it has several distinct components: a generic backdoor that contacts its C&C server and downloads the spammer component and a general purpose-proxy.

“Mumblehard components are mainly Perl scripts encrypted and packed inside ELF binaries. In some cases, the Perl script contains another ELF executable with the same packer in the fashion of a Russian nesting doll,” researcher Marc-Etienne Leveille shared in a paper detailing their findings. “We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat.”

Thanks to the fact that the backdoor always and repeatedly tries to contact all of the 10 C&C domains listed in its configuration file, the researchers have managed to take control of one of them (its registration had expired), which allowed them to monitor the activity of the infected hosts between September 19th 2014 and April 22nd 2015.

“During the period over which we collected data, we saw Mumblehard queries from 8,867 unique IP addresses. The majority of them are servers that are used for hosting websites,” says Leveille. “We can see that the number of infected hosts is slowly decreasing, but has timely increases from time to time. The operators are initiating discrete waves of server infection rather than spreading in a continuous fashion.”

The C&C server did not always send commands to the bots to start spamming. Sometimes it did, for hours. Other days it would stay mum, and the bots remained dormant.

But it was the addresses of the C&C servers hardcoded in the Mumblehard samples what led the researchers to Yellsoft, as there is indication they are hosted on the company’s web server.

A look at the company’s page reveals that DirectMailer is written in Perl and runs on UNIX-type systems. “Pretty much like Mumblehard,” Leveille points out.

The price of the software is $240, but interestingly enough, there is a link to a site offering a “cracked” version of DirectMailer. The developers explicitly say that they don’t provide technical support for users of pirated versions of DirectMailer downloaded from that site or any other, but the fact that they provide a direct link is strange.

“Why would you want to show where to steal your software?” asks Leveille, and comments that it is this, and the facts that Yellsofts homepage seems to be hosted on the same server as Mumblehards backdoor and spammer C&C server and that the pirated DirectMailer and Mumblehards spammer share code what makes them suspect they are the same group.

The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.

I wondered whether the original DirectMailer software contained the backdoor, too, but Leveille couldn’t answer that question for me.

“We do not know if the paid-for version of DirectMailer also include the backdoor or not. We did not, and didnt want to, buy software from Yellsoft,” he noted. “If anyone has a paid copy they are willing to send us, wed be glad to analyze it and confirm if the backdoor is present.”

What’s worrying, he says, is that the Mumblehard operators have been active for many years without disruption.

“It is unclear if spamming is the only goal of this group. In theory, it is possible for the cybercriminals to deploy other executable files to thousands of servers at once. Do they send other types of spam with their botnet? Is a pharmaceutical online store lucrative enough to justify the effort?” These questions remain unanswered.

The researchers believe that Mumblehard is also installed on servers compromised via Joomla and WordPress exploits, and have urged administrators to check whether their servers have been hit: “Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes. The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.”

For more details about the malware and for indicators of compromise, check out the white paper.”