ESET, in collaboration with CyS-CERT and other partners, has taken down Mumblehard, the infamous Linux server botnet.
A year ago, ESET analyzed the Mumblehard botnet which was comprised of thousands of infected Linux systems located all around the world. Today, ESET announces that in cooperation with CyS-CERT and the Cyber Police of Ukraine, Mumblehard has been successfully taken down.
When publishing the discovery, ESET researchers also registered a domain acting as a C&C server for the backdoor component in order to estimate the botnet size and distribution. This caused the authors of the malware to reduce the number of C&C servers to one – in Ukraine, under the direct control of the attacker.
“The forensics analysis revealed that at the moment of takedown, there were nearly 4000 systems from 63 different countries in the botnet. The researchers also discovered additional details about the operation,” says Marc-Etienne Léveillé, Malware Researcher at ESET.
Among other innovations from the botnet’s disclosure in April 2015, the system allowed for automatic delisting from Spamhaus’ Blocking List. If a script automatically monitoring the IP addresses of all the infected machines found one to be blacklisted, it requested that it be delisted.
“These kinds of requests are protected with CAPTCHA to avoid automation, but the botnet operators were using OCR or external services to break the protection,” explains Léveillé.
Based on data collected from ESET’s sinkhole server, it’s now possible to notify the infected servers’ administrators. Germany’s Computer Emergency Response Team, CERT-Bund, stepped in, and has started notifying the infected organizations.
“If you receive a notification that your server is infected, head to our indicators of compromise at the Github repository for more details about how to find and remove Mumblehard on your system,” recommends Léveillé.
The Mumblehard botnet takedown serves as another example of successful cross-border cooperation between experts from security firms and the public sector with law enforcement institutions.
To avoid future infections, ESET security experts advise that web applications hosted on a server – including plugins – are up to date and that administrative accounts have strong two-factor authentication. Additional details about the Mumblehard botnet takedown can be found in an article by Marc-Etienne M. Léveillé on ESET’s official security blog, WeLiveSecurity.com.
ESET, the pioneer of proactive protection and the maker of the award-winning NOD32 technology which is celebrating its 25th anniversary in 2012, is a global provider of security solutions for businesses and consumers. The Company continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus holds the world record for the number of Virus Bulletin “VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. ESET has been selected as one of the most innovative companies in Europe for the 2011 HSBC European Business Awards and holds number of accolades from AV-Comparatives, AV Test and other organizations. ESET NOD32 Antivirus, ESET Smart Security and ESET Cyber Security for Mac are trusted by millions of global users and are among the most recommended security solutions in the world.
The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Sao Paulo (Brazil) and Prague (Czech Republic). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Cracow (Poland), Montreal (Canada), Moscow (Russia), and an extensive partner network for 180 countries. . For more information, visit our local office at https://www.eset.hk.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For more information, please visit https://www.version-2.com/ or call (852) 2893 8860.