- Angela Abar wrestles with destiny in ‘Watchmen’ episode 8 Sunday 9:05 PM
- Guy who runs Trump Organization Twitter account caught hyping up own tweet Sunday 4:51 PM
- People found out how tall Olaf is–and now ‘Frozen’ is terrifying Sunday 3:41 PM
- Rapper Juice WRLD dead at 21 Sunday 3:02 PM
- Embody Andrew Yang, fight other presidential candidates in video game Sunday 2:33 PM
- Ariana Grande spoke with TikTok teen who looks exactly like her Sunday 1:00 PM
- Beyoncé accused of paying dancers ‘low rates’ Sunday 11:58 AM
- Timmy Thick blasted for saying the N-word in comeback video Sunday 9:11 AM
- Netflix’s ‘The Confession Killer’ is a devastating and well-built portrait of a con artist Sunday 8:00 AM
- Swipe This! I’m ashamed to tell anyone about my online shopping habit Sunday 6:00 AM
- UPS facing backlash for thanking police after employee killed in shootout Saturday 5:02 PM
- Sanders campaign fires staffer after anti-Semitic, homophobic tweets surface Saturday 3:13 PM
- Brother Nature was attacked, says everyone just watched with phones out Saturday 2:45 PM
- Ryan Reynolds’ gin company hires Peloton wife for ad Saturday 1:24 PM
- Ex-vegan YouTuber accused of fraud after following meat-only diet Saturday 1:11 PM
One of the longest living botnets of all time is dead, but don’t expect many mourners at the funeral.
Mumblehard is a 7-year-old family of malware from Ukraine that hijacks Linux servers and drafts them into an army of computers that send massive amounts of spam emails about pharmaceutical drugs like Viagra and Adderall.
The botnet was officially shut down as of Feb. 29, according to a report released by security researchers at ESET on Thursday.
Thousands of machines around the world were commandeered by Mumblehard since at least 2009, costing owners money for bandwidth and often blacklisting their their IP addresses so that they couldn’t send legitimate emails to the outside world, according to ESET. The hackers behind Mumblehard had 150 gigabytes of emails, an enormous trove of targets for the cybercriminals.
Ukranian Cyber Police are conducting an ongoing criminal investigation into those behind the malware.
When hackers are engaged in massive spam campaigns like this, tools like the Spamhaus’ Composite Blocking List are meant to shut them down by blacklisting IP addresses from infected machines. The crew behind Mumblehard made a concerted effort to remove their address, largely succeeding despite protections like CAPTCHA on the list.
Over the last year, Ukrainian police worked with Eastern European cybersecurity researchers at ESET and Cys-Centrum to put an end to the senior spam operation. Here’s how it happened.
For at least five years, maybe more, Mumblehard avoided the spotlight. That’s a mean feat for a botnet claiming at least 8,800 victims. But then ESET security researcher Marc-Étienne Léveillé received a puzzled call from a friend whose server had become a fountain of spam, causing its IP address to be blacklisted around the Internet.
The scope and cleverness that Léveillé spotted after looking into his friend’s machine turned a quick glance into an ongoing investigation.
One year ago, ESET published a research paper revealing Mumblehard to the world. The Slovakian cybersecurity firm revealed a new threat of above-average complexity that had managed to avoid detection for years thanks to the programmer’s techniques.
When Mumblehard infected a server, it opened a backdoor for criminals to enter and gain full control of the system. The Perl-language scripts and encrypted executable files were packed inside in the fashion of Russian nesting dolls. Components were tightly obfuscated and the spam daemon that pumped out masses of profitable spam emails operated quietly in the background.
“If you don’t catch it while it’s being downloaded, it’s kind of hard to have an idea that it exists,” Léveillé told the Daily Dot. “I think that’s one of the reasons it stayed unknown for so long.”
The hackers behind Mumblehard reacted to the new publicity within a month by consolidating the now-spotlighted botnet so that only a single server was operating as the command-and-control point behind the network.
Ukrainian law enforcement and the Ukranian cybersecurity firm Cys-Centrum identified and analyzed that server and, in collaboration with ESET, took it down.
Last year, when Mumblehard was first discovered, an ESET report said it had links to Yellsoft, a European company selling DirecMailer, software written in Perl to send masses of emails. Yellsoft and Mumblehard shared IP addresses and pirated versions of DirecMailer installed Mumblehard itself.
Yellsoft disappeared from the Internet after ESET published their whitepaper revealing Mumblehard to the world.
Full details have yet to be released as the criminal investigation is ongoing.
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.