One of the longest living botnets of all time is dead, but don’t expect many mourners at the funeral.
Mumblehard is a 7-year-old family of malware from Ukraine that hijacks Linux servers and drafts them into an army of computers that send massive amounts of spam emails about pharmaceutical drugs like Viagra and Adderall.
The botnet was officially shut down as of Feb. 29, according to a report released by security researchers at ESET on Thursday.
Thousands of machines around the world were commandeered by Mumblehard since at least 2009, costing owners money for bandwidth and often blacklisting their their IP addresses so that they couldn’t send legitimate emails to the outside world, according to ESET. The hackers behind Mumblehard had 150 gigabytes of emails, an enormous trove of targets for the cybercriminals.
Ukranian Cyber Police are conducting an ongoing criminal investigation into those behind the malware.
When hackers are engaged in massive spam campaigns like this, tools like the Spamhaus’ Composite Blocking List are meant to shut them down by blacklisting IP addresses from infected machines. The crew behind Mumblehard made a concerted effort to remove their address, largely succeeding despite protections like CAPTCHA on the list.
Over the last year, Ukrainian police worked with Eastern European cybersecurity researchers at ESET and Cys-Centrum to put an end to the senior spam operation. Here’s how it happened.
For at least five years, maybe more, Mumblehard avoided the spotlight. That’s a mean feat for a botnet claiming at least 8,800 victims. But then ESET security researcher Marc-Étienne Léveillé received a puzzled call from a friend whose server had become a fountain of spam, causing its IP address to be blacklisted around the Internet.
The scope and cleverness that Léveillé spotted after looking into his friend’s machine turned a quick glance into an ongoing investigation.
One year ago, ESET published a research paper revealing Mumblehard to the world. The Slovakian cybersecurity firm revealed a new threat of above-average complexity that had managed to avoid detection for years thanks to the programmer’s techniques.
When Mumblehard infected a server, it opened a backdoor for criminals to enter and gain full control of the system. The Perl-language scripts and encrypted executable files were packed inside in the fashion of Russian nesting dolls. Components were tightly obfuscated and the spam daemon that pumped out masses of profitable spam emails operated quietly in the background.
“If you don’t catch it while it’s being downloaded, it’s kind of hard to have an idea that it exists,” Léveillé told the Daily Dot. “I think that’s one of the reasons it stayed unknown for so long.”
The hackers behind Mumblehard reacted to the new publicity within a month by consolidating the now-spotlighted botnet so that only a single server was operating as the command-and-control point behind the network.
Ukrainian law enforcement and the Ukranian cybersecurity firm Cys-Centrum identified and analyzed that server and, in collaboration with ESET, took it down.
Last year, when Mumblehard was first discovered, an ESET report said it had links to Yellsoft, a European company selling DirecMailer, software written in Perl to send masses of emails. Yellsoft and Mumblehard shared IP addresses and pirated versions of DirecMailer installed Mumblehard itself.
Yellsoft disappeared from the Internet after ESET published their whitepaper revealing Mumblehard to the world.
Full details have yet to be released as the criminal investigation is ongoing.