A new Linux malware family featuring dual components, dubbed “Mumblehard,” has been uncovered by ESET researchers, who say that the threat remained undetected for more than five years.
The malware's backdoor and spamming daemon components are written in the Perl programming language and “feature the same custom packer written in assembly language,” a Wednesday blog post by ESET researcher Marc-Etienne Léveillé explained.
“The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average,” he continued. By observing botnet traffic, ESET concluded that attackers primarily use Mumblehard to spam users “by sheltering behind the reputation of the legitimate IP addresses of the infected machines.”
In the first week of April, alone, ESET found that more than 3,000 machines were infected with the Linux malware. And while infections gradually dropped, the botnet appears to grow at specific times and, overall, has doubled over a six month window, Léveillé wrote.
A brief write-up on the threat notes that Mumblehard is often included in the installation package of an application called DirectMailer, when victims try to download the software from “untrustworthy sources.” Léveillé, who also published a white paper (PDF) on the malware family, noted in his blog post that to mitigate attacks, users should look for “unsolicited cronjob entries for all the users on their servers.”
“This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes,” he explained. “The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.”