Linux and FreeBSD Servers Infected to Function like a Windows Bot

July 18th, 2014, 14:46 GMT · By Ionut Ilascu

Again another reason to use the new Web component on the managed services RMM (MspManagedNetwork)

Security researchers have found a new malware, dubbed Mayhem, that targets Linux and FreeBSD web servers in order to turn them into bots, without requiring root access. Scary

Three security experts, Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, from Russia-based Yandex, discovered that the malicious attack is conducted via a more sophisticated PHP script.

Mayhem was first detected in April 2014, and the researchers say that it is continuing the “Fort Disco” brute-force campaign that was revealed by Arbor Networks in 2013.

In a paper published by security publication Virus Bulletin, the trio asserts that this piece of malware is a new type that can work under restricted privileges on the systems and has been created with multiple functionality in mind.

After being uploaded on VirusTotal, it was revealed that the initial PHP script had a low detection rate with the antivirus engines available.

As soon as the target is reached, the script proceeds to kill all “/usr/bin/host” processes, check for the system architecture and operating system, and then downloads a malicious object identified as “”

Apart from this, a variable is defined, “AU,” which includes the URL of the script that is executed. Another stage of the infection is to create a shell script that is then executed.

Communication is established with the command and control servers, which can send the malware different instructions. Since it is modular, Mayhem’s functions can be expanded through plug-ins; at the moment, eight have been discovered.

These range from cracking passwords on WordPress and Joomla CMSs using the brute-force technique, crawling web pages to collect information and finding a remote file inclusion (RFI) vulnerability, to enumerating users on WordPress websites.

The team analyzed the command and control servers used for managing the botnet and successfully retrieved some statistics from two of them, which together managed 1,400 infected servers.

It seems that the geographical areas with most infections are the U.S., Russia, Germany, and Canada.

The cybercriminals have not enabled the full functionality of the master machines, since they host additional components that had not been delivered to the bots.

In the technical analysis of Mayhem, the researchers say they found “a plug-in that exploits the recently identified ‘Heartbleed’ vulnerability and collects data from vulnerable servers.”

On the bright side, they discovered security glitches in the code of the command and control scripts, which might be leveraged to dismantle the Mayhem botnets.

“During our analysis, we found some common features shared between Mayhem and some other *nix malware. The malware is similar to ‘Trololo_mod’ and ‘Effusion’ [11] – two injectors for Apache and Nginx servers respectively,” reads the analysis paper.

UNIX-like web servers are gaining the interest of cybercriminals more and more lately, due to the monetization potential they have. These machines can be used to direct users to online locations delivering malware.

Additionally, the automatic update mechanisms and anti-virus products are generally not used by the administrators of these systems, which creates an opportunity for cybercriminals.

Roy Miehe | | Ceo/President
GFI Max Distributor
Where Service and Technical Skills Count

Tags: , , , , , , , , , , , , ,

Comments are closed.

%d bloggers like this: