ESET, in collaboration with CyS-CERT and other partners, has taken down Mumblehard, the infamous Linux server botnet.
A year ago, ESET analyzed the Mumblehard botnet which was comprised of thousands of infected Linux systems located all around the world. Today, ESET announces that in cooperation with CyS-CERT and the Cyber Police of Ukraine, Mumblehard has been successfully taken down.
When publishing the discovery, ESET researchers also registered a domain acting as a C&C server for the backdoor component in order to estimate the botnet size and distribution. This caused the authors of the malware to reduce the number of C&C servers to one – in Ukraine, under the direct control of the attacker.
“The forensics analysis revealed that at the moment of takedown, there were nearly 4000 systems from 63 different countries in the botnet. The researchers also discovered additional details about the operation,” says Marc-Etienne Léveillé, Malware Researcher at ESET.
Among other innovations from the botnet’s disclosure in April 2015, the system allowed for automatic delisting from Spamhaus’ Blocking List. If a script automatically monitoring the IP addresses of all the infected machines found one to be blacklisted, it requested that it be delisted.
“These kinds of requests are protected with CAPTCHA to avoid automation, but the botnet operators were using OCR or external services to break the protection,” explains Léveillé.
Based on data collected from ESET’s sinkhole server, it’s now possible to notify the infected servers’ administrators. Germany’s Computer Emergency Response Team, CERT-Bund, stepped in, and has started notifying the infected organizations.
“If you receive a notification that your server is infected, head to our indicators of compromise at the Github repository for more details about how to find and remove Mumblehard on your system,” recommends Léveillé.
The Mumblehard botnet takedown serves as another example of successful cross-border cooperation between experts from security firms and the public sector with law enforcement institutions.
To avoid future infections, ESET security experts advise that web applications hosted on a server – including plugins – are up to date and that administrative accounts have strong two-factor authentication. Additional details about the Mumblehard botnet takedown can be found in an article by Marc-Etienne M. Léveillé on ESET’s official security blog, WeLiveSecurity.com.
For more information, please visit https://www.version-2.com/ or call (852) 2893 8860.