Researchers help shut down spam botnet that enslaved 4,000 Linux machines

A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down.

Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service.

"There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots," researchers from security firm Eset wrote in a blog post published Thursday. "If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn’t work) was used to break the protection."

In the months following Eset's discovery of Mumblehard in late 2014, company researchers worked with Estonian law enforcement and an industry partner to shut down the botnet. In February of this year, the group took control of the Internet address belonging to the command server, making it possible for researchers to "sinkhole" the botnet. Rather than connecting to the attackers' control server, the infected machines connected to benign machines operated by the takedown participants. By analyzing the incoming traffic, they estimated that about 4,000 computers were infected.

Researchers still don't know how Mumblehard was able to initially take hold of its victims. Initially, researchers suspected that the malware exploited vulnerabilities in content management systems such as WordPress, or the many plug-ins that are associated with them. Analysis of the control server revealed this theory was incorrect, however. The number of machines reporting to the sinkholed server has been slowly dropping as compromised systems are disinfected.