Security researchers from the antivirus provider Eset announced the discovery of a new strain of malware dubbed “Mumblehard” (because it's “Muttering spam from your servers,” according to the subtitle of Eset's 23-page report “Unboxing Linux/Mumblehard,” available in .pdf form here).
Actually, Mumblehard isn't “new” malware, just newly discovered: Eset says Mumblehard has been active since at least 2009. The malware affects Linux and FreeBSD operating systems, usually servers.
But what exactly does Mumblehard do? Eset says “an infected server opens a backdoor for the cybercriminals that allows them full control of the system by running arbitrary code. It also has a general purpose-proxy and a module for sending spam messages.”
Blacklisted server
Indeed, sending spam messages appears to be Mumblehard's primary function. ESET discovered the malware after a system administrator sought the company's help in solving a mystery: why was the server blacklisted for sending spam?
Researchers investigated, and discovered malicious hidden code of a sort “uncommon and more complex than the average server threat.” (Ars Technicadescribed it as being “arranged in the fashion of a Russian nesting doll.”)
As for how Mumblehard manages to infect Linux servers (or even computers), ESET identified two “plausible infection vectors …. The most popular vector seems to be the use of Joomla and Wordpress exploits. The other is through the distribution of backdoored 'pirated' copies of a Linux and BSD program known as DirectMailer.”
DirectMailer is software used for sending bulk e-mails. ESET said that “The pirated copies actually install the Mumblehead backdoor … that allows the operators to install additional malware.”
Despite this, the researchers still have not determined exactly how Mumblehard is installed. Even though the malware's primary targets are servers operating on Linux, that doesn't guarantee that other computers are immune.
Ars Technica advises that “Administrators who want to check their servers for Mumblehard infections should look for unexplained daemons.” (Daemons are computer programs that run in the background, rather than under a user's direct control. If you've ever tried sending an email only to have it bounce back as undeliverable, you might've noticed that returned/rejected email actually came from a “mailer-daemon” email address.)
Mumblehard's backdoor is usually hidden in the /tmp or /var/tmp folders. You can deactivate it by mounting the directories with Noexec.