Experts from the company ESET in cooperation with the Ukrainian police and CyS Center, a company specializing in IT security audits, deactivated botnet Mumblehard. Servers included in the botnet were located in 63 countries, including Poland. The aim of the operation was Mumblehard Shipping spam messages. The botnet operated since 2009, and in the most active time of its activities connected nearly 4,000 devices.
Mumblehard Botnet was built with server operating systems, Linux and BSD, which had been infected threat detected by ESET as Linux / Mumblehard. Cybercriminals first sought out in these servers vulnerabilities in the installed software and then use them to infect the machine and took over control of them. Acquired servers have used mainly to send spam messages.
Thanks to the cooperation of experts from ESET, the Ukrainian police and CyS Center, in autumn 2015. able to access the server controlling a botnet (ie. Command and Control Server) and examine how the zombie network servers. It turned out that the botnet joins nearly 4,000 devices from 63 world countries.
An interesting capability of the botnet was the ability to automatically unsubscribe from the list of entities suspected of sending spam (Spamhaus Composite Blocking List). Automatic script on a regular basis to monitor the IP addresses of all malicious servers and if one of the addresses has been included on the list, it automatically sends a request to unsubscribe from it. Such requests are secured CAPTCHA mechanism, but the infected machine was able to cope with this obstacle – used the technology to recognize the text, as well as external services to break the protection.
Although the botnet was deactivated, the infected servers are still working. CERT units in different countries of the world now inform the companies whose servers were connected to that botnet. As a result, the number of infected servers is constantly decreasing. How to prevent such infections corporate servers? Experts advise to applications on servers are updated on a regular basis, and the Administrator account have strong passwords. Since taking over the botnet, analysts did not see new variants of threats or any action taken by a group of criminals responsible for the attack.
No comments:
Post a Comment