New Mayhem malware targets Linux, UNIX servers
Infections found in Australia and New Zealand.
A new malware that runs on UNIX-like servers even with restricted privileges has already infected machines in Australia and is actively hunting for more targets, a new research paper has shown.
Three researchers from Russian web provider Yandex – Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov – said in the technical analysis of the malware, published on security and anti-virus specialist publication Virus Bulletin, that Mayhem functions like a traditional Windows bot.
Mayhem was discovered in April this year and does not require a privilege escalation vulnerability – it does not have to run as the root super user – to work on Linux-based systems, or on FreeBSD servers.
Servers are infected through the execution of a hypertext preprocessor (PHP) script that establishes Mayhem on the victim computer and sets up a communications channel with a command and control server.
The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server.
Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information.
According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013.
At the time, Fort Disco had created a botnet with six contral and command sites and over 25,000 infected Windows computers, according to Arbor Networks security analysts.
A total of 1400 infections have been recorded around the world for Mayhem so far, with most of these in the United States, Russia, Germany and Canada, the researchers said.
Sidorov told iTnews that recently discovered data from the largest Mayhem command and control server showed that there were 14 infected machines in Australia, and two in New Zealand.
Commenting on the research, Virus Bulletin editor Martijn Grooten said the threat Mayhem poses was relatively small compared to existing botnets.
But he warned that Mayhem should be taken seriously nevertheless, as it had the ability to compromise powerful Linux servers and was actively looking for other sites and machines to infect.
“It is another reminder to those running web servers that these have become prime targets for malware authors,” Grooten said.
The researchers warned that despite increasingly being targeted by malware authors, many webmasters who run UNIX-like operating systems don’t have the opportunity to update their infrastructure automatically, and that serious maintenance is expensive and therefore often not undertaken.
This, combined with lack of anti-virus technologies, active defences and process memory checking modules in the UNIX world, meant “it is easy for hackers to find vulnerable web servers and to use such servers in their botnets,” the researchers stated.