Botnet Shut Down

Tuesday, April 12, 2016 @ 11:04 AM gHale


The six-year-old Mumblehard botnet just shut down, officials said.

A joint ESET effort with CyS Centrum LLC and the Cyber Police of Ukraine sinkholed the botnet’s main C&C (command and control server).

RELATED STORIES
Researchers Dig into Botnet
Bot Targets Routers, Embedded IoT Devices
Honeypots Discover Multiple Botnets
Ransomware Uses Viewing App in Attack

Details about Mumblehard surfaced last April when ESET described the dealings of a group that had been operating since 2010, hijacking Linux servers and using them to send massive amounts of spam.

Originally, it was thought the group was using vulnerabilities in server software to infect the websites. Initial clues pointed the researchers toward Joomla, WordPress, and the DirectMailer mass-mailing software.

After further analysis, ESET has now corrected this information and said the group was seen operating where a PHP shell had already been installed, making the researchers assume Mumblehard operators were buying access to run their malware on servers compromised by other actors.

ESET said as soon as they published their original technical write-up last year, Mumblehard operators started making changes to their malware’s code, allowing the researchers to pinpoint the location of the true C&C server, which was on a server with an IP in Ukraine.

ESET informed the proper authorities, who seized the IP and transferred it to the security firm, who’s now running a server that’s sinkholing all the requests made by Mumblehard’s bots.

The sinkholing operation took place February 29. Since that time, ESET has detected over 4,000 bots trying to connect to their old server.

CERT-Bund (Computer Emergency Response Team Germany) is now notifying all affected server
owners.