New Mayhem Malware Targets Linux and UNIX-Like Servers 168
Bismillah writes: Russian security researchers have spotted a new malware named Mayhem that has spread to 1,400 or so Linux and FreeBSD servers around the world, and continues to look for new machines to infect. And, it doesn't need root to operate. "The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server. Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information. According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013."
Re:Update yo software (Score:5, Insightful)
And for those of you who DO auto-update blindly and destroy your app or your server when a bad version comes out, well, at least you can smugly assert that you were "secure".
Still old-school (Score:4, Insightful)
I was going to release an RFC several years back that detailed malware communications protocols, but it was out-of-scope for an RFC and I figured it would be bad when people started using it. Plus IETF might not take that as an April 1 RFC.
I had suggested that the malware be modular, and that it have a communications protocol using PKI, and an evolutionary module loading framework. It would take code for modules shipped across the network and try to compile them locally for various systems, then ship the binaries around. It would also divide when it got a new module: a kill module would just kill the weak strain. The proposal included detecting remote OS and shipping the correct primary executable code, as well as support code for cross-infection.
The whole thing was a big argument for why we need a non-executable stack and strict rules preventing in-memory transitions between non-executable and executable pages. Data written in memory should never become code. Of course, people want to use JIT compilers, so...
Modern malware still bores me.
Re:Derp (Score:5, Insightful)
If you never travel outside your country, why not block all networks from outside? Back in my AT&T days I blocked all of south america, europe, and asia for our servers because nobody from those locations had any reason to even contact our advertising data collection systems. There is no reason to keep your servers wide open for the world.
Re:Derp (Score:2, Insightful)
So lock the account?
Seems clever. DoS successfull.
Notabene: All through the 90s and some years later, you could lock customers of Deutsche Telekom out of their Internet access until midnight, if you knew their telephone number.
Internet login was derived from the phone number, accounts were locked after 10 failed passwords until midnight.
Attack Vector (Score:5, Insightful)
"A lack of anti virus, and missing auto update features leave machines vulnerable"
It astounds me the lengths the article writers go too while avoiding the attack vector:
The admin must:
1. allow a method to upload files
2. allow php files to be up loaded
3. Allow execution of these uploaded scripts
4. Allow system / exec calls (disabled by default since forever ago)
5. Allow the user to write their own crontab
At that point, you might as well just install the infection through yum or apt.
Seriously, there's a reason that the article numbers are less than 1% of the size of the average windows server infection..
Re:Derp (Score:2, Insightful)
So, all I need to do to block off legitimate access is fire off a single connection (per user I want to block) every 30 seconds...
I could have a daemon doing that without noticably slowing down my regular internet traffic on my home DSL.
Re:Attack Vector (Score:2, Insightful)
Seriously, there's a reason that the article numbers are less than 1% of the size of the average windows server infection..
There are clearly many more Windows servers on the Internet than there are Linux servers. After all, if Linux had anywhere near the deployment of Windows, then Linux would experience the same rate of infection, right?
Right?