A new malware that researchers have dubbed Mayhem is being used to aim Linux and Unix web servers and has so distant compromised over 1,400 Linux and FreeBSD servers around a world, advise researchers from Russian Internet hulk Yandex.
Mayhem has a functions of a normal Windows bot, though doesn’t need base entrance to make use of them. The malware is modular, and can be expected done to do a series of things, though a stream chronicle can:
- Find websites that enclose a remote record inclusion (RFI) vulnerability
- Enumerate users of WordPress sites
- Identify user login pages in sites formed on a WordPress CMS
- Brute force passwords for sites formed on a WordPress and Joomla CMSs
- Brute force passwords for roughly any login page
- Brute force FTP accounts
- Crawl web pages (both by URL and IP) and remove useful information.
During their investigation, a researchers also rescued that Mayhem is a delay of a Fort Disco brute-force debate unearthed by Arbor ASERT in Aug 2013.
“Initially, a square of malware appears as a PHP script,” a researchers shared. “After execution, a book kills all ‘/usr/bin/host’ processes, identifies a complement design (x64 or x86) and complement form (Linux or FreeBSD), and drops a antagonistic common intent named ‘libworker.so’.”
New variables, scripts and tasks are created, functions executed and processes run (for in-depth sum check out a researchers’ paper during Virus Bulletin), and a malware contacts a CC server in sequence to send a host’s complement information and accept instructions on what to do next.
The researchers managed to benefit entrance to dual of a 3 CC servers used to conduct a botnet, and have rescued that those dual control about 1,400 bots, many of that were used to beast force WordPress passwords.
“During a analysis, we found some common facilities common between Mayhem and some other *nix malware. The malware is identical to ‘Trololo_mod’ and ‘Effusion’ – dual injectors for Apache and Nginx servers respectively,” they noted, and supplement that notwithstanding a miss of evidence, they think that all these malware families were grown by a same gang.
Yandex researchers weren’t a initial ones to have rescued and analyzed Mayhem – a Malware Must Die group has spotted it scarcely a month earlier. Both teams researched a malware independently.
Yandex researchers charge a rising recognition of botnets done adult of *nix web servers to several factors: Web servers are some-more absolute than typical personal computers and have good uptime; a admins customarily refurbish a program manually and irregularly, permitting enemy to find and feat vulnerabilities; and Web server botnets are ideal for earning criminals income off of trade redirection, drive-by download attacks, black shawl SEO, and so on.