- Sep 22, 2014
- 1,767
The six-year-old Mumblehard botnet is no more, ESET reports, explaining that a joint effort with CyS Centrum LLC and the Cyber Police of Ukraine has finally allowed them to sinkhole the botnet's main C&C (command and control server).
Details about Mumblehard surfaced in April 2015, when ESET described the shady dealings of a cyber-criminal group that had been operating since 2010, hijacking Linux servers and using them to send massive amounts of spam.
Mumblehard botnet controlled via a server in Ukraine
Originally, it was thought the group was using vulnerabilities in server software to infect the websites. Initial clues pointed the researchers towards Joomla, WordPress, and the DirectMailer mass-mailing software.
After further analysis, ESET has now corrected this information and says that the group was seen operating where a PHP shell had already been installed, making the researchers assume that Mumblehard operators were buying access to run their malware on servers compromised by other actors.
Either way, this isn't a problem anymore. ESET informs us that as soon as they published their original technical write-up last year, Mumblehard operators started making changes to their malware's code, allowing the researchers to pinpoint the location of the true C&C server, which was found on a server with an IP in Ukraine.
Over 4,000 infected servers comprised the Mumblehard botnet
ESET informed the proper authorities, who seized the IP and transferred it to security firm, who's now running a server that's sinkholing all the requests made by Mumblehard's bots.
The sinkholing operation took place on February 29, 2016. Since that time, ESET has detected over 4,000 bots trying to connect to their old server.
CERT-Bund (Computer Emergency Response Team Germany) is now notifying all affected server owners. ESET has also published a series of tips and tools for detecting and removing Mumblehard from infected machines.
Details about Mumblehard surfaced in April 2015, when ESET described the shady dealings of a cyber-criminal group that had been operating since 2010, hijacking Linux servers and using them to send massive amounts of spam.
Mumblehard botnet controlled via a server in Ukraine
Originally, it was thought the group was using vulnerabilities in server software to infect the websites. Initial clues pointed the researchers towards Joomla, WordPress, and the DirectMailer mass-mailing software.
After further analysis, ESET has now corrected this information and says that the group was seen operating where a PHP shell had already been installed, making the researchers assume that Mumblehard operators were buying access to run their malware on servers compromised by other actors.
Either way, this isn't a problem anymore. ESET informs us that as soon as they published their original technical write-up last year, Mumblehard operators started making changes to their malware's code, allowing the researchers to pinpoint the location of the true C&C server, which was found on a server with an IP in Ukraine.
Over 4,000 infected servers comprised the Mumblehard botnet
ESET informed the proper authorities, who seized the IP and transferred it to security firm, who's now running a server that's sinkholing all the requests made by Mumblehard's bots.
The sinkholing operation took place on February 29, 2016. Since that time, ESET has detected over 4,000 bots trying to connect to their old server.
CERT-Bund (Computer Emergency Response Team Germany) is now notifying all affected server owners. ESET has also published a series of tips and tools for detecting and removing Mumblehard from infected machines.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}