A security firm has successfully taken down the Mumblehard Linux botnet as part of a public-private legal effort.
The story begins in April 2015, when ESET, an IT security firm located in Slovakia, first published a report (PDF) on the botnet.
“Linux/Mumblehard is a family of malware targeting servers running both the Linux and BSD operating systems,” ESET researchers explain. “A Mumblehard infected server opens a backdoor for the cybercriminals that allows them full control of the system by running arbitrary code. It also has a general purpose-proxy and a module for sending spam messages.”
The researchers go on to note that they registered a domain name acting as a command and control (C&C) server for Mumblehard’s backdoor module, a move which allowed them to collect statistics about the botnet’s size and distribution.
About a month after it published its report, ESET noticed an apparent reaction from the malware authors when they decided to remove all unnecessary domain names and IP addresses from the list of C&C servers, keeping just one under their control.
Statistics from Mumblehard sinkhole after the publication (Source: ESET)
This gave the security researchers an idea.
“With only one IP address acting as the C&C server for the Mumblehard backdoor and no fallback mechanism, a takeover of that IP address would suffice to stop the malicious activities of this botnet,” ESET explains in a blog post. “We decided to take action and contacted the relevant authorities to make things happen.”
Working with the Cyber Police of Ukraine and CyS Centrum LLC, another security company, ESET was able to learn more about the botnet and eventually replace the Mumblehard C&C server with a sinkhole on February 29th, 2016.
Data collected by ESET indicates upwards of 4,000 Linux systems had been compromised by the botnet.
Currently, CERT-Bund is working to notify all affected parties.
“Collaboration with law enforcement and external entities was crucial in making this operation a success. ESET would like to thank the Cyber Police of Ukraine, CyS Centrum LLC and CERT-Bund,” the security researchers conclude. “We are proud of our efforts to make the internet a safer place. Mumblehard might not be the most prevalent, the most dangerous or the most sophisticated botnet out there, but shutting it down is still a step in the right direction and shows that security researchers working with other entities can help reduce the impact of criminal activity on the internet.”
News of this takedown comes approximately two years after the FBI led an international legal effort do disrupt the Gameover ZeuS botnet.