Wordpress munching contagion turns Linux servers into spam bots
Spam spam spam spam, lovely spam! Wonderful spam!
The Mumblehard malware is turning Linux and BSD server into spam-spewing zombies.
Security researchers at ESET have logged over 8,500 unique IP addresses during a seven-month research period looking into the junk-mail-linked malware menace.
Mumblehard is made up of two different components. The first component is a generic backdoor that requests commands from its command and control server. The second component is a "full-featured spammer daemon" process, which is launched via a command received via the backdoor.
The malware exploits vulnerabilities in Joomla (the content management system) and WordPress (the much-hacked blogging and CMS platform), as explained in greater depth in a blog post by ESET here.
Mumblehard is also distributed via ‘pirated’ copies of a Linux and BSD program known as DirectMailer, bulk mailer software developed by Yellsoft and sold through the Russian firm's website for $240. “Our investigation showed strong links with a software company called Yellsoft,” explained ESET malware researcher Marc-Etienne M.Léveillé.
“Among other discoveries, we found that IP addresses hard-coded in the malware are closely tied to those of Yellsoft,” explained Léveillé.
El Reg approached Yellsoft for comment via Twitter (since its yellsoft.net didn't resolve). We haven't heard anything back at the time of going to press.
ESET's in-depth technical research paper, entitled Unboxing Linux/Mumblehard – Muttering Spam for your Servers can be found here here (pdf).
Attacks of this type are far from unprecedented. For example, malware dubbed Mayhem was caught spreading through Linux and FreeBSD web servers in Russia and elsewhere last July. The crimeware spread by exploited unpatched blogging platform plug-ins. ®