Advance Notification of Cyber Threats Linux/Mumblehard
|Issue Discovered On:
|Advisory Released On:
|Last Revised On:
||Contains a backdoor that grants full control of the infected machine by running arbitrary code. It also infects machines to become botnets and sends spam messages (e-mail).
It has been brought to our attention that there is a family of Linux malware called Mumblehard that has been hiding for nearly five years. Mumblehard is divided into two parts; the first part injects an assembly language script in order to grant the attacker full control and access to the victim and then the second part is the malware has a built-in proxy module that gives it authority to send spam e-mail messages. According to ESET, their analysis states the following:Perl scripts inside ELF binaries were written in assembly language.A number of 8,867 unique IP addresses were infected in a 7-month period.Mumblehard has been active since at least 2009.Mumblehard targets web servers mostly.
- Mount the tmp directory with the “noexec” option to prevent the backdoor from starting in the first place.
- Monitor network traffic for any suspicious activity.
- Monitor e-mail accounts to see any spam e-mail messages being sent within the local domain.
- Monitor cronjob entries regularly to make sure no unsolicited cronjobs exist.
Back To Advisory List