- Feb 4, 2016
- 549
In cooperation with CyS-CERT and Cybernetics Police of Ukraine, ESET helps identify and stop backdoor operations in 63 different countries.
ESET - business solutions for proactive threat detection - announces its contribution to the action that disrupted the activities of botnet (botnet) Mumblehard. The action carried out in cooperation with CyS-CERT and Cybernetics Police of Ukraine allowed the completion of the network of thousands of Linux systems infected worldwide, including Brazil.
"The forensic analysis revealed that at the time of interruption of operation of the bonet, the network had about four thousand more than 63 different countries systems," explains Marc-Etienne Léveillé, ESET Malware Researcher. To carry out illegal activities and perform sending spam, the backdoor used infected hosts. Among the Latin American countries reached 60 victims were registered in Brazil, 27 in Chile, 14 in Mexico, 12 in Colombia, 10 in Argentina, 4 in Peru and two in Bolivia.
When publishing the discovery of bonet in 2015, ESET's researchers also registered a domain that served as command and control server (C & C), which aimed to estimate the magnitude and distribution of the botnet. This led the malware authors to reduce the number of C & C servers to one in Ukraine so they could get the direct control of the attacker.
With the help of Police Cybernetics Ukraine and CyS company, it was possible to obtain information from the C & C server by the end of 2015. Forensic analysis revealed that the initial assumptions about the size of the botnet and its purpose were correct, with the activity main sending spam. In addition, we found a lot of different control panels for easy management of the botnet by the attacker.
Based on data collected from the sinkhole server (server controlled by ESET), it was possible to notify administrators of infected servers. The team of Germany's Emergency Response (CERT- Bund) intervened and began notifying the affected victims. "When you receive a notification that the server is infected, we recommend users to contact our Github repository Indicators system for details of how to find and eliminate Mumblehard your system," recommends Léveillé.
"A great deal of various parts was necessary to interrupt this botnet possible. Though not the most widespread, dangerous or sophisticated that exists today still shows that the joint work of security researchers with other entities have an important impact in reducing criminal activity on the Internet. We are proud of our efforts to make the Internet a safe place, "adds Marc-Etienne Léveillé.
To prevent future infections, the ESET security experts advise that web applications are hosted on a server - including plugins - as they are updated and that administrative accounts are made using a two-factor authentication in order to improve their protection.
Forgive my English