Mayhem Malware is targeting Linux and FreeBSD servers

A security team at Russian Internet firm Yandex has identified a botnet based on a malware dubbed Mayhem which is targeting Linux and FreeBSD web servers.

Security experts at Russian Internet company Yandex have detected a new strain of malware dubbed Mayhem which is targeting server based on Linux and FreeBSD OSs. 

The malware Mayhem was designed to infect servers running the popular distributions and use them as part of a botnet, even without the need of any root privileges.

Mayhem isn’t a totally new malware, it was first discovered in April 2014, and according to the experts at Yandex, it is linked to the “Fort Disco” brute-force campaign uncovered by Arbor Networks in 2013 that compromised more than 6000 websites based on popular CMSs.

Mayhem is considered a dangerous cyber threat, it has a modular structure which is able to load numerous payload to compromise targeted systems.

• rfiscan.so – Find websites that contain a remote file inclusion (RFI) vulnerability
• wpenum.so – Enumerate users of WordPress sites
• cmsurls.so – Identify user login pages in sites based on the WordPress CMS
• bruteforce.so – Brute force passwords for sites based on the WordPress and Joomla CMSs
• bruteforceng.so – Brute force passwords for almost any login page
• ftpbrute.so – Brute force FTP accounts
• crawlerng.so – Crawl web pages (by URL) and extract useful information
• crawlerip.so – Crawl web pages (by IP) and extract useful information

The attackers use a sophisticated PHP script to compromise the servers, it still has a low detection rate with the principal antivirus products on the market.  Mayhem scans the internet searching for vulnerable servers, the rfiscan.so for example is used to discover servers hosting websites with a remote file inclusion (RFI) vulnerability, once the malware exploits an RFI it will run a PHP script on a victim.

The experts have discovered that more than 1,400 Linux and FreeBSD servers have been compromised worldwide, but it could be just the tip of the iceberg considering that Mayhem infects mainly those machines which are not updated with security. The majority of infected servers is located in the USA, Russia, Germany and Canada.

“As stated previously, the malware uses a hidden file system to store its files. The file system comprises a file that is created during the initialization. The filename of the hidden file system is defined in the configuration, but its name is usually ‘.sd0’. To work with this file system an open-source library ‘FAT 16/32 File System Library’, [8] is used. The library contains code to create and work with the FAT file system, but it is not used in the original form – some functions have been modified to support encryption. Every block is encrypted with 32 rounds of XTEA algorithm in ECB mode and the encryption key differs from block to block.

The hidden file system is used to store plug-ins and files with strings to process: lists of URLs, usernames, passwords, etc.” states and interesting report published by malwaremustdie.org.