- How to watch the fourth 2020 Democratic debate 4 Years Ago
- Is social media normalizing cultural appropriation? Today 7:45 AM
- Zoë Kravitz will play Catwoman after being told she was too ‘urban’ for ‘Dark Knight Rises’ Today 6:36 AM
- The 5 best Spike Lee movies Today 5:00 AM
- Jesse Eisenberg and Imogen Poots visit suburban hell in ‘Vivarium’ Today 4:30 AM
- Spoiler-free review: HBO’s ‘Watchmen’ leans into the comic’s political side Today 3:00 AM
- #DogsAgainstBrexit highlights the negative impact of Brexit on pets Monday 7:44 PM
- Congress investigating whether vaping manufacturers used social media bots Monday 6:34 PM
- Influencer accuses Lisa Frank of stealing apartment design, says that’s why she’s getting evicted (updated) Monday 6:12 PM
- Brits are sharing their ‘awfully British Amazon reviews’ on Twitter Monday 4:08 PM
- How to stream Mexico vs. Panama in Concacaf Nations League play Monday 3:38 PM
- How to stream U.S. vs. Canada in the Concacaf Nations League tournament Monday 3:21 PM
- Fortnite’s black hole launches conspiracy theories and memes Monday 3:19 PM
- WeWork pulls phone booths over formaldehyde concerns Monday 3:06 PM
- Mark Zuckerberg is reportedly having private meetings with prominent conservatives Monday 3:03 PM
One of the longest living botnets of all time is dead, but don’t expect many mourners at the funeral.
Mumblehard is a 7-year-old family of malware from Ukraine that hijacks Linux servers and drafts them into an army of computers that send massive amounts of spam emails about pharmaceutical drugs like Viagra and Adderall.
The botnet was officially shut down as of Feb. 29, according to a report released by security researchers at ESET on Thursday.
Thousands of machines around the world were commandeered by Mumblehard since at least 2009, costing owners money for bandwidth and often blacklisting their their IP addresses so that they couldn’t send legitimate emails to the outside world, according to ESET. The hackers behind Mumblehard had 150 gigabytes of emails, an enormous trove of targets for the cybercriminals.
Ukranian Cyber Police are conducting an ongoing criminal investigation into those behind the malware.
When hackers are engaged in massive spam campaigns like this, tools like the Spamhaus’ Composite Blocking List are meant to shut them down by blacklisting IP addresses from infected machines. The crew behind Mumblehard made a concerted effort to remove their address, largely succeeding despite protections like CAPTCHA on the list.
Over the last year, Ukrainian police worked with Eastern European cybersecurity researchers at ESET and Cys-Centrum to put an end to the senior spam operation. Here’s how it happened.
For at least five years, maybe more, Mumblehard avoided the spotlight. That’s a mean feat for a botnet claiming at least 8,800 victims. But then ESET security researcher Marc-Étienne Léveillé received a puzzled call from a friend whose server had become a fountain of spam, causing its IP address to be blacklisted around the Internet.
The scope and cleverness that Léveillé spotted after looking into his friend’s machine turned a quick glance into an ongoing investigation.
One year ago, ESET published a research paper revealing Mumblehard to the world. The Slovakian cybersecurity firm revealed a new threat of above-average complexity that had managed to avoid detection for years thanks to the programmer’s techniques.
When Mumblehard infected a server, it opened a backdoor for criminals to enter and gain full control of the system. The Perl-language scripts and encrypted executable files were packed inside in the fashion of Russian nesting dolls. Components were tightly obfuscated and the spam daemon that pumped out masses of profitable spam emails operated quietly in the background.
“If you don’t catch it while it’s being downloaded, it’s kind of hard to have an idea that it exists,” Léveillé told the Daily Dot. “I think that’s one of the reasons it stayed unknown for so long.”
The hackers behind Mumblehard reacted to the new publicity within a month by consolidating the now-spotlighted botnet so that only a single server was operating as the command-and-control point behind the network.
Ukrainian law enforcement and the Ukranian cybersecurity firm Cys-Centrum identified and analyzed that server and, in collaboration with ESET, took it down.
Last year, when Mumblehard was first discovered, an ESET report said it had links to Yellsoft, a European company selling DirecMailer, software written in Perl to send masses of emails. Yellsoft and Mumblehard shared IP addresses and pirated versions of DirecMailer installed Mumblehard itself.
Yellsoft disappeared from the Internet after ESET published their whitepaper revealing Mumblehard to the world.
Full details have yet to be released as the criminal investigation is ongoing.
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.