Mumblehard spam-spewing botnet floored
Single point of failure key in takedown
Security researchers have teamed up with authorities in Ukraine to take down a spam-spewing Linux-infesting botnet.
Security firm ESET teamed up with CyS-CERT and the Cyber Police of Ukraine to take down the Mumblehard botnet.
A year ago, ESET analyzed the Mumblehard botnet, which was made up of thousands of infected Linux systems located all around the world. As part of their research, ESET researchers registered a domain that acted as a command and control (C&C) server for the backdoor component of the zombie network. The technique allowed security researchers to estimate the botnet's size and distribution.
Authors of malware responded to this interference in their affairs by reducing the number of C&C servers to one – in Ukraine, under the direct control of the attacker. This created a single point of failure that cleared the way for the subsequent takedown op.
"The forensics analysis revealed that at the moment of takedown, there were nearly 4,000 systems from 63 different countries in the botnet," said Marc-Etienne Léveillé, a malware researcher at ESET.
Among other developments since the botnet's disclosure in April 2015, the system had been designed to automatically attempt to delist components that appeared in the Spamhaus Block List, a widely used and long-standing anti-spam defense. If a script automatically monitoring the IP addresses of all the infected machines found one to be blacklisted, it requested that it be delisted.
"These kinds of requests are protected with CAPTCHA to avoid automation, but the botnet operators were using OCR or external services to break the protection," Léveillé explained.
Data collected from ESET's sinkhole server will make it possible to notify an infected server's administrators. Germany's Computer Emergency Response Team, CERT-Bund, stepped in, and has started notifying the infected organizations.
To avoid future infections, ESET security experts advise that web applications hosted on a server – including plugins – are up to date and that administrative accounts are protected with strong two-factor authentication.
More details on the Mumblehard botnet takedown can be found in an article by Léveillé on ESET's official security blog here. ®