ESET, in collaboration with CyS-CERT and other partners, has taken down Mumblehard, the infamous Linux server botnet.
A year ago, ESET analyzed the Mumblehard botnet which was comprised of thousands of infected Linux systems located all around the world. Today, ESET announces that in cooperation with CyS-CERT and the Cyber Police of Ukraine, Mumblehard has been successfully taken down.
When publishing the discovery, ESET researchers also registered a domain acting as a C&C server for the backdoor component in order to estimate the botnet size and distribution. This caused the authors of the malware to reduce the number of C&C servers to one – in Ukraine, under the direct control of the attacker.
“The forensics analysis revealed that at the moment of takedown, there were nearly 4000 systems from 63 different countries in the botnet. The researchers also discovered additional details about the operation,” says Marc-Etienne Léveillé, Malware Researcher at ESET.
Among other innovations from the botnet’s disclosure in April 2015, the system allowed for automatic delisting from Spamhaus’ Blocking List. If a script automatically monitoring the IP addresses of all the infected machines found one to be blacklisted, it requested that it be delisted.
“These kinds of requests are protected with CAPTCHA to avoid automation, but the botnet operators were using OCR or external services to break the protection,” explains Léveillé.
Based on data collected from ESET’s sinkhole server, it’s now possible to notify the infected servers’ administrators. Germany’s Computer Emergency Response Team, CERT-Bund, stepped in, and has started notifying the infected organizations.
“If you receive a notification that your server is infected, head to our indicators of compromise at the Github repository for more details about how to find and remove Mumblehard on your system,” recommends Léveillé.
The Mumblehard botnet takedown serves as another example of successful cross-border cooperation between experts from security firms and the public sector with law enforcement institutions.
To avoid future infections, ESET security experts advise that web applications hosted on a server – including plugins – are up to date and that administrative accounts have strong two-factor authentication. Additional details about the Mumblehard botnet takedown can be found in an article by Marc-Etienne M. Léveillé on ESET’s official security blog, WeLiveSecurity.com.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.