Researchers from the Slovak anti-virus company ESET have discovered thousands of Linux and BSD servers that are infected with malware and used to send large numbers of spam messages. Hard mumble, as the malware is called, would have been active since 2009.
It mainly involves Web servers that most likely through leaks in the popular content management systems Joomla and WordPress were hacked. Then the attackers Mumble Hard installed on the systems. In addition, the malware could also have spread via pirated versions of a program called Direct Mailer. The software normally costs $ 240, but on the Internet pirated versions were found with Mumble Hard backdoor.
Yell Soft
Direct Mailer is developed by the software company Yell Soft. Yell Soft sells software like Hard Mumble is written in the Perl programming language and is used to send bulk mail. Researchers from ESET suspect Yell Soft may be involved in the malware. It appears that the IP address of the C & C server that the infected Linux and BSD machines controls is in the same range as the Web server yellsoft.net .
The second link which the researchers point to the existence of the illegal versions of Direct Mailer where Mumble Hard backdoor hidden in. The first version of Mumble Hard dates from 2009. Yell Soft exists since 2004. "It is unclear whether they were involved between 2004 and 2009 in malicious activity," as the researchers in their report ( pdf ) about the malware.
Infections
Hard mumble was discovered after an administrator had complained that his server was ended because of a spam blacklist.During the research conducted ESET researchers knew to "sink holes" botnet server, where the movement of infected machines ran to a server of the anti-virus company. In this way, the researchers saw a period of seven months, nearly 8900 unique IP addresses passing by who were infected. Administrators who want to know if their server is compromised are advised to search for unsolicited cron jobs for all users.