Feeds

Manic malware Mayhem spreads through Linux, FreeBSD web servers

And how Google could cripple infection rate in a second

Choosing a cloud hosting partner with confidence

Malware dubbed Mayhem is spreading through Linux and FreeBSD web servers, researchers say. The software nasty uses a grab bag of plugins to cause mischief, and infects systems that are not up to date with security patches.

Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, who work at Russian internet portal Yandex, discovered the malware targeting *nix servers. They traced transmissions from compromised computers to two command and control (C&C) servers. So far they have found 1,400 machines that have fallen to the code, with potentially thousands more to come.

"In the *nix world, autoupdate technologies aren't widely used, especially in comparison with desktops and smartphones. The vast majority of web masters and system administrators have to update their software manually and test that their infrastructure works correctly," the trio wrote in a technical report for Virus Bulletin.

"For ordinary websites, serious maintenance is quite expensive and often webmasters don't have an opportunity to do it. This means it is easy for hackers to find vulnerable web servers and to use such servers in their botnets."

Mayhem spreads by finding servers hosting websites with a remote file inclusion (RFI) vulnerability – it even uses Google's /humans.txt to test for this. If the ad giant rewrote this file, specifically changing the words "we can shake", Mayhem infections would be slowed – until its rfiscan.so plugin is updated.

Once the malware exploits an RFI, or some other weakness, to run a PHP script on a victim, it drops a shared object called libworker.so onto the infected system and pings its C&C servers.

It then creates a hidden file system, usually called sd0, and downloads eight plugins, none of which were picked up by the VirusTotal malware scanning tool.

These include a couple of brute-force password crackers targeting FTP, Wordpress and Joomla accounts – presumably to spread the malware further – and information-gathering web crawlers, one of which hunts for other sites with RFI holes.

Some of the vulnerable web applications Mayhem scans for ... click for slightly larger version (Credit: Kovalev, Otrashkevich, Sidorov)

The Yandex trio warn there may be other plugins in circulation, based on data found on the two cracked C&C servers. These include a tool specifically to exploit systems that haven't patched the Heartbleed vulnerability in OpenSSL.

The team notes that the Mayhem code does bear several similarities to the Trololo_mod and Effusion families of malware, which target Apache and Nginx servers respectively. They recommend system administrators check their servers to make sure Mayhem's spread is limited. ®

Remote control for virtualized desktops

More from The Register

next story
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
The DRUGSTORES DON'T WORK, CVS makes IT WORSE ... for Apple Pay
Goog Wallet apparently also spurned in NFC lockdown
IBM, backing away from hardware? NEVER!
Don't be so sure, so-surers
Hey - who wants 4.8 TERABYTES almost AS FAST AS MEMORY?
China's Memblaze says they've got it in PCIe. Yow
Microsoft brings the CLOUD that GOES ON FOREVER
Sky's the limit with unrestricted space in the cloud
This time it's SO REAL: Overcoming the open-source orgasm myth with TODO
If the web giants need it to work, hey, maybe it'll work
'ANYTHING BUT STABLE' Netflix suffers BIG Europe-wide outage
Friday night LIVE? Nope. The only thing streaming are tears down my face
Google roolz! Nest buys Revolv, KILLS new sales of home hub
Take my temperature, I'm feeling a little bit dizzy
Storage array giants can use Azure to evacuate their back ends
Site Recovery can help to move snapshots around
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.