New Mayhem malware targets Linux, UNIX servers

Powered by SC Magazine
 

Infections found in Australia and New Zealand.

A new malware that runs on UNIX-like servers even with restricted privileges has already infected machines in Australia and is actively hunting for more targets, a new research paper has shown.

Three researchers from Russian web provider Yandex - Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov - said in the technical analysis of the malware, published on security and anti-virus specialist publication Virus Bulletin, that Mayhem functions like a traditional Windows bot.

Mayhem was discovered in April this year and does not require a privilege escalation vulnerability - it does not have to run as the root super user - to work on Linux-based systems, or on FreeBSD servers.

Servers are infected through the execution of a hypertext preprocessor (PHP) script that establishes Mayhem on the victim computer and sets up a communications channel with a command and control server.

The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server.

Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information.

According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013.

At the time, Fort Disco had created a botnet with six contral and command sites and over 25,000 infected Windows computers, according to Arbor Networks security analysts.

Mayhem worldwide distribution. Source: Virus Bulletin

A total of 1400 infections have been recorded around the world for Mayhem so far, with most of these in the United States, Russia, Germany and Canada, the researchers said.

Sidorov told iTnews that recently discovered data from the largest Mayhem command and control server showed that there were 14 infected machines in Australia, and two in New Zealand.

Commenting on the research, Virus Bulletin editor Martijn Grooten said the threat Mayhem poses was relatively small compared to existing botnets.

But he warned that Mayhem should be taken seriously nevertheless, as it had the ability to compromise powerful Linux servers and was actively looking for other sites and machines to infect.

"It is another reminder to those running web servers that these have become prime targets for malware authors," Grooten said.

The researchers warned that despite increasingly being targeted by malware authors, many webmasters who run UNIX-like operating systems don't have the opportunity to update their infrastructure automatically, and that serious maintenance is expensive and therefore often not undertaken.

This, combined with lack of anti-virus technologies, active defences and process memory checking modules in the UNIX world, meant "it is easy for hackers to find vulnerable web servers and to use such servers in their botnets," the researchers stated.

Copyright © iTnews.com.au . All rights reserved.


New Mayhem malware targets Linux, UNIX servers
Image credit: Virus Bulletin.
 
 
 
Top Stories
At the top of her game
A decision to bring digital operations back in-house three years ago has paid big dividends for Tabcorp.
 
Westpac hires SAP man as CTO
Creates four new IT lead positions.
 
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
 
Image credit: Virus Bulletin.
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  21%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 954

Vote