Unboxing Linux Malware: Spam from your servers

Today, ESET researchers reveal a family of Linux malware that stayed under the radar for more than 5 years. We have named this family Linux/Mumblehard. A white paper about this threat is available for download on WeLiveSecuriy.

There are two components in the Mumblehard malware family: a backdoor and a spamming daemon. They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average.

Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines.

The relationship between the components and their command and control servers are illustrated in the following diagram:

overviewPrevalence

ESET Researchers were able to monitor the Mumblehard backdoor component by registering a domain name used as one of the C&C servers. More than 8,500 unique IP addresses hit the sinkhole with Mumblehard behavior while we were observing the requests coming in. The following chart shows the number of unique IP addresses seen each day over that period.

ip_per_day_only

We can see from the chart that during the first week of April, more than 3,000 machines were affected by Mumblehard. The number of infected hosts is slowly decreasing, but the overall view shows that infection happens at specific times and that the botnet size has doubled over a 6-month period.

A quick look at the list of victims suggests that Mumblehard mostly targets web servers.

Links with Yellsoft

Our analysis and research also shows a strong link between Mumblehard and Yellsoft. Yellsoft sells software, written in Perl, designed to send bulk e-mails. This program is called DirectMailer. The first link between them is that the IP addresses used as C&C servers for both the backdoor and spamming components are located in the same range as the web server hosting yellsoft.net. The second link is that we have found pirated copies of DirectMailer online that actually silently install the Mumblehard backdoor when run. The pirated copies were also obfuscated by the same packer used by Mumblehard’s malicious components.

Prevention

Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes. The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.

The white paper with all the technical details is available for download on WeLiveSecurity.

Picture Credits: Flickr/Christian Barmala
by Marc-Etienne M.Léveillé, ESET

Hackers phish for data with fake Apple Watch giveaway

apple-watch-phishing-scam-phish-623x410

ESET Ireland advises Apple fans keen to get their hands on the Apple Watch to think before they click, after hackers exploited a wave of enthusiasm around the launch with a phishing scam linked to a fake giveaway.

As reported by Computer Business Review, victims were enticed on social networks by the offer of a free Apple Watch, but after taking the bait were directed to a series of links and instructions leading them to other dubious web pages.

It’s suspected that the scams are designed to collect data, with one Facebook event page asking victims to provide their full names and Facebook handle. Those who clicked through are also asked to invite their friends to the event to claim the device, with 100 invites earning them an Apple Watch, 250 an Apple Watch Sport and 500 the Apple Watch edition, to be sold by Apple for $17,000.

Users on Twitter were also directed towards the scam, with fake accounts named ‘Apple Giveaways’ targeting users that mentioned the smartwatch on the social network.

Phishing scams are often timed to coincide with product launches and news events, preying on victims’ excitement or vulnerability. Just last month, for instance, cybercriminals targeted victims of the recent Anthem data breach, offering fake victim support and a non-existent credit monitoring service.

In the meantime, cases like this and the Apple Watch scam highlight the importance of keeping your wits about you and your defences up while browsing Facebook and Twitter.

by Kyle Ellison, ESET

No, there’s no Google Lottery, sorry.

Scammers are keeping busy, sending all sorts of attempts to get to your personal info, which they can then proceed to abuse. This week ESET Ireland received a good deal of this particular sort of spam email. As people conditioned to believe the credibility of “brand names”, adding “Google”, “Gmail” and “Microsoft Windows” to an otherwise a very common scam, guarantees the scammers a few additional victims. And stamping “Approved” as watermark is, in the scammers’ opinion, guaranteed to seal the deal.

goog

Don’t fall for it. Enjoy safer technology.

No, Bank of Ireland isn’t running a routine security check on your account

ForgedBOI

ESET Ireland warns that Irish computers are being targeted by an email scam involving the name of the Bank of Ireland and redirecting to a fraudulent Polish address.

ESET Ireland is regularly monitoring email scams targeting Irish mailboxes. In the past few days we have seen an increased frequency of the following message:

Subject:      Security Measures * 806600
Date: 17 Feb 2015 10:57:57 +0200
From: Bank.of.Ireland [365]

Dear Account Owner,

365 Bank.of.Ireland apologizes for the inconvenience but you have been chosen randomly by our security system for routine checks of your account.

To continue to use your account for online payments and other methods of purchase, please follow the steps:

http://www1.bank.of.ireland365.online.com

However, the link which appears to be a “Bank of Ireland” one actually redirects to wzgorzetoskanii.pl, which is a Polish web address, and from there to another with an Australian domain name, which displays a forged Bank of Ireland website, which requests the user to “sign in” with their online banking details, therefore handing them over to the cybercriminals for further abuse.

ESET Ireland warns Irish users to ignore such email and to ring their bank if they’re unsure about any such emails or text messages received.

by Urban Schrott, ESET Ireland

 

Italian job? Tax refund scam as Gaeilge in Irish mailboxes

Are we all getting €138.50 back from the taxman? No. But scammers with an Italian link are trying to convince Irish recipients they’re legit by sending a mail as Gaeilge.

ESET Ireland has detected many samples of an email, targeting Irish mailboxes, which has a subject “Tax Refund Application” and reads:

From: Revenue – Irish Tax <xxxxx@revenue.ie>

Revenue – Cin agus Custaim na hireann

Tar is na romhanna bliantil deireanach de do ghnomhaocht fioscach, n mr dinn a chinneadh go bhfuil t i dteideal a fhil ar aisoc cnach de € 138.50 EUR. Cuir do Iarratas Aisoc Cnach ag lonadh an eForm135. Beidh do aisoc a chur chuig do chuntas bainc sa 2-4 seachtaine seo chugainn.

Nta: Is fidir aisocaocht a moill ar chiseanna agsla, mar shampla, a chur isteach taifid neamhbhail n a bhfuil feidhm i ndiaidh an spriocdhta.

_______________________________________________

Revenue – Irish Tax and Customs

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of € 138.50 EUR. Complete your Tax Refund Application by filling the eForm135. Your refund will be sent to your bank account in the next 2-4 weeks.

Note: A refund can be delayed for various reasons, for example submitting invalid records or applying after the deadline.

The email prompts potential victims to fill a form, which, unsurprisingly, leads to a website at http://www.comunespoleto.gov.it, which is an Italian address, then redirects to an Australian-hosted fake website, registered in USA, equipped with all the official markings of Irish Tax and Customs, which asks for personal, bank and card details, which the scammers can then rob.

revenue

(click for full size image)

Any Irish speaker would quickly recognise the translation as a poor Google Translate job, and the scammer’s sloppy copy-paste even removed all the accented characters from the text, which makes it rather useless, but an average unfamiliar user could still be fooled by the fact the mail and forged website are rather official-looking. Phishing mails like this one, using a relatively rare language to address potential victims, show how the cybercriminals are targetting even small countries, just for a chance of profit. The long global path of the scam (Irish targets via Italian link via Australian site with an American site registration) on the other hand shows the complexity of the global business that is cybercrime.

ESET Ireland recommends Irish computer users be on the lookout for scams like this one. Do not reply to the email, do not follow its bad links and never ever give your personal and banking details to such online forms.

by Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland

It’s not the Russians, six out of ten top email spammers come from USA

spam

Recent research shows that about 60% of spam comes from US companies, and only about 10% from Russia and Ukraine.

Whenever ESET Ireland warns the public of some new spam or scam that’s hitting Irish mailboxes, we inevitably get asked the question, where is this all coming from, who is behind it. Now we have some latest statistics from Spamhaus, a Swiss-based organization, whose mission is to track the Internet’s spam operations, that shed some light on the spamming sources. Up to 80% of spam targeted at Internet users in North America and Europe is generated by a hard-core group of around 100 known professional spam gangs whose names, aliases and operations are documented in their database. The chart of listed spammers is based on those that are viewed as the highest threat, the worst of the career spammers causing the most damage on the Internet currently. They flag these gangs and individuals as a priority for law enforcement agencies.

Their activities include using many falsified domains to send tens of millions of spams per day using botnet techniques, renting an endless number of servers to host their own spam webpages and the webpages of their spam-clients, billing for child, animal, and incest-porn, pirated software, and fake pharmaceuticals.

At ESET Ireland we often write about various spams and scams targeting Irish computer users, such as the recent fraudulent “Notice of Tax Return” purporting to come from Irish Tax and Customs and many others. Most of the time it is difficult to define where the spam is coming from, as the cybercriminals behind it use various techniques to hide their origin behind faked domain names.

All the spam the cybercriminals send is in various ways designed to make money for them and never for the benefit of the receiver, no matter what wonderful things it may promise. ESET Ireland therefore recommends computer users use spam filters and flag and delete any spam they may encounter, to help prevent its spreading.

by Urban Schrott
IT Security & Cybercrime Analyst
ESET Ireland

Irish businesses targeted by an infected fake complaint email

ESET Ireland has detected another threat targeting Irish businesses. Emails are being received by .ie email addresses, with an infected attachment and an official looking complaint notification:

Subject:     FW : Complaint – 5458414
Date:     Mon, 17 Jun 2013 11:52:35 -0600
From:     Dun & BradStreet <alert@dnb.com>
New Complaint : 5458414

Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 28, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us. We look forward to your prompt attention to this matter.

To ensure delivery of Dun & Bradstreet Credibility Corp. emails to your inbox and to enable images to load in future mailings, please add alerts@dandb.com to your email address book or safe senders list.

© 2012 Dun & Bradstreet Credibility Corp.

Dun & Bradstreet Credibility Corp. 103 JFK Parkway, Short Hills, NJ 07078

The fake notice asks the receiver to open an attachment (Case_06172016DNB.zip), print the complaint and respond before June 28th, but the attachment contains an .exe file, that is actually malware, detected by ESET as Win32/PSW.Fareit.a, a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Receivers of this and similar emails are advised to mark them as spam and not open any attachments in emails from unverified sources, no matter how official they look.

ems

Follow

Get every new post delivered to your Inbox.

Join 94 other followers