Ebury and Mayhem server malware families still active

Posted by   Martijn Grooten on   Oct 31, 2017

Whether it is to send spam or to redirect web traffic to malicious payloads, compromised (Linux) web servers are the glue in many a malware campaign. Two such networks of compromised servers – about which VB has published papers in the past – have recently received updates.

The paper 'Operation Windigo' (pdf) was published by ESET in 2014 and looked at a cybercrime operation that used various Linux malware families, including the Ebury OpenSSH backdoor, which was used to access servers and steal credentials, and the Cdorked HTTP backdoor, which was used for web traffic redirection.

At VB2014, researchers from ESET in Canada and Yandex in Russia shared the stage to present a paper on these malware families, and at the same event, the authors of the Operation Windigo paper were the winners of the first Péter Szőr award.

The work the ESET researchers did on this group wasn't merely technical though: they also assisted the FBI in an international operation against the conspirators behind the malware, which led to the arrest of one individual at the Finnish-Russian border in August 2015. The suspect was subsequently extradited to the United States where he pleaded guilty and was sentenced to 46 months in prison.

Despite this setback, the group is still active. Yesterday, ESET published a blog post highlighting various updates to the Ebury malware, which include self-hiding techniques and a domain generating algorithm (DGA) that signs DNS TXT records to mitigate possible attempts to sinkhole the botnet.

penguins_wikimedia_commons.jpg

Various generations of penguins. Source: Wikimedia commons.

Also in 2014, Virus Bulletin published a paper by the same group of Yandex researchers, on the Mayhem botnet they had discovered. What made this botnet of Linux servers particularly noteworthy was the fact that it operated under restricted privileges and thus didn't require root access on the infected machines. The clear separation of root and user accounts on Linux is often cited as a strong built-in defence against malware.

A blog post by Sucuri shows that the Mayhem botnet is still active and has updated itself, removing any traces of the MAYHEM_DEBUG server variable, while masquerading as a jquery library.

A combination of operating system hardening and security software for added protection has made both desktop and mobile operating systems more secure than ever. This has made Linux servers a relatively easy and rather attractive target for malware authors. It is thus unlikely that we have seen the end of such attacks.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper: Internet balkanization: why are we raising borders online?

At VB2018 in Montreal, Ixia researcher Stefan Tanase presented a thought-provoking paper on the current state of the Internet and the worrying tendency towards raising borders and restricting the flow of information. Today we publish both his paper…

The malspam security products miss: banking and email phishing, Emotet and Bushaloader

The set-up of the VBSpam test lab gives us a unique insight into the kinds of emails that are more likely to bypass email filters. This week we look at the malspam that was missed: banking and email phishing, Emotet and Bushaloader.

VB2018 paper: Where have all the good hires gone?

The cybersecurity skills gap has been described as one of the biggest challenges facing IT leaders today. At VB2018 in Montreal, ESET's Lysa Myers outlined some of the things the industry can do to help address the problem. Today we publish Lysa's…

Preview: Nullcon 2019

We look forward the Nullcon 2019 conference in Goa, India, at which VB Editor Martijn Grooten will give a talk on the state of malware.

From Amazon to Emotet: a look at those phishing and malware emails that bypassed email security products

We see a lot of spam in the VBSpam test lab, and we also see how well such emails are being blocked by email security products. Recently some of the emails that bypassed security products included a broken Amazon phishing campaign, a large fake UPS…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.