Advance Notification of Cyber Threats Linux/Mumblehard

Security Advisory: AE-Advisory 15-011 Criticality: high
Issue Discovered On: 29-April-2015    
Advisory Released On: 30-April-2015    
Last Revised On: 30-April-2015    
Impact: Contains a backdoor that grants full control of the infected machine by running arbitrary code. It also infects machines to become botnets and sends spam messages (e-mail).
Affected Platforms

All Platforms


It has been brought to our attention that there is a family of Linux malware called Mumblehard that has been hiding for nearly five years. Mumblehard is divided into two parts; the first part injects an assembly language script in order to grant the attacker full control and access to the victim and then the second part is the malware has a built-in proxy module that gives it authority to send spam e-mail messages. According to ESET, their analysis states the following:Perl scripts inside ELF binaries were written in assembly language.A number of 8,867 unique IP addresses were infected in a 7-month period.Mumblehard has been active since at least 2009.Mumblehard targets web servers mostly.

  • Mount the tmp directory with the “noexec” option to prevent the backdoor from starting in the first place.
  • Monitor network traffic for any suspicious activity.
  • Monitor e-mail accounts to see any spam e-mail messages being sent within the local domain.
  • Monitor cronjob entries regularly to make sure no unsolicited cronjobs exist.

Other References

Back To Advisory List