Mumblehard - Malware that affects Linux and BSD Systems

Several websites have discussed this writeup by Marc-Etienne M.Leveille of ESET in regards to the Mumblehard malware ESET discovered while working with a customer. Though Linux malware (just like OSX malware) is nothing new, this software included a very interesting binary packer that actually detects BSD systems. The attack vector for this malware was by way of Joomla and Wordpress exploits, and an illegal copy of DirectMailer, which installs the backdoor once the software is loaded (M.Leveille, 2015).

The malware is packed with perl code inside of an ELF binary (the executable file format on UNIX and UNIX-like systems). Using specific system calls, the malware can determine whether the binary is executing on Linux or BSD. The following is the specific disassembled code from the M.Leveille report:

mov eax, SYS_time; //BSD_fchdir
push ebx; //Set to NULL or 0
push eax
int 80h;//syscall 13
//saves EAX and compares
cmp eax, 0 
//jumps to a specific location for BSD systems if the value is less than 0 (negative) 
//Or jumps to specific location for Linux systems when EAX is set to current number of seconds since the UNIX EPOCH

(M.Leveille, 2015, p. 6)

There is no specific data on the number of BSD systems that were compromised, except for the compromised systems showing up in the ESET sinkholes. The key thing from this report is that even BSD systems may be unpatched, or misconfigured and as vulnerable as Linux systems when care is not taken to keep systems up-to-date, and to promptly patch web applications when vulnerabilities are discovered. To check your BSD systems, look for binaries running from /var/tmp or /tmp. The malware also sets $0 to httpd to hide itself, and it will place a cronjob to run every 15 minutes:

*/15 * * * * * /var/tmp/qCVwOWA > /dev/null 2>&1

(M.Leveille, 2015, p. 6) 

Make sure you are monitoring your BSD systems and keeping your applications up-to-date.

Reference: M.Leveille, M.E. (2015). Unboxing Linux/Mumblehard: Muttering spam from your servers. Retrieved from

Copyright © 2023 Daemon Security Inc. | Privacy Policy
Terms and Conditions