IT security firm ESET takes down Mumblehard Botnet

A Linux and BSD botnet of over 4000 infected machines, known as Mumblehard was taken down by researchers at ESET, an IT security firm based in Slovakia. A “sinkhole” or misdirection by DNS servers for the pool of affected computers, was instrumental in the takedown. Most of the affected machines were web servers, and more than 8800 unique IP address pinged the ESET sinkhole servers over a period of seven months. Mumblehard was sending out spam emails since at least 2009. There were two vectors of infection. Infection through Joomla and WordPress exploits is one possibility, and the more common of the two. The other method is through the distribution of  a backdoored program called DirectMailer. Mumblehard was first “unboxed” by ESET in 2015. The Mumblehard botnet used some uncommon features in it’s various components. The packer was written in Perl, and wrapped in an assembly language ELF. There was a Perl backdoor meant for doing only one task, download from URL and executing it. The spamming daemon was also written in Perl, and would send out e-mails about pharmaceutical products from various online companies. These features alerted ESTE researches about the sophistication of the Botnet. ESET tookdown the servers in a joint operation with the Cyber Police of Ukraine. The pharmaceutical spam has stopped from February 26 this year. A sinkhole is operating for all known components of the botnet. ESET is also notifying affected parties directly.