2. INTRODUCTION
• Malware, short for malicious software, is any software used to disrupt
computer operation, gather sensitive information, or gain access to private
computer systems.
• Mayhem’ – new piece of malware that is being used to target Linux and
FreeBSD web servers in order to make them a part of the wide botnet,
even without the need of any root privileges.
• A botnet is a collection of Internet-connected programs communicating
with other similar programs in order to perform tasks.
• Targets to infect only those machines which are not updated with security
patches.
• The infection of websites and even entire web servers has become
common.
• Mayhem is a multi-purpose modular bot for web servers.
3. WORKING
• After execution, the script kills all ‘/usr/bin/host’ processes, identifies
the system architecture (x64 or x86) and system type
(Linux or FreeBSD), and drops a malicious shared object named
‘libworker.so’. The script also defines a variable ‘AU’, which contains
the full URL of the script being executed.
• The PHP dropper creates a shell script named ‘1.sh’. Besides all of
this, the script also creates the environment variable ‘AU’, which is the
same as the one defined in the PHP script.
• PHP dropper executes the shell script by running the command ‘at
now -f 1.sh’.
• The dropper waits for at most five seconds, then deletes the
corresponding cron task.
6. HIDDEN FILE SYSTEM
• The malware uses a hidden file system to
store its files.
• The filename of the hidden file system is
defined in the configuration, but its name
is usually ‘.sd0’
• The hidden file system is used to store
plug-ins and files with strings to process:
lists of URLs, usernames, passwords.
• None of which were detected by
the VirusTotal malware scanning tool.
7. SPREAD BY PLUGINS
• Communication of the system is established with the command and control
servers, which can send the malware different instructions.
• Its functions can be expanded through plugins and at the moment some eight
plugins have been discovered-
• rfiscan.so - Find websites that contain a remote file inclusion (RFI) vulnerability
• wpenum.so - Enumerate users of WordPress sites
• cmsurls.so - Identify user login pages in sites based on the WordPress CMS
• bruteforce.so - Brute force passwords for sites based on the WordPress and
Joomla CMSs
• bruteforceng.so - Brute force passwords for almost any login page
• ftpbrute.so - Brute force FTP accounts
• crawlerng.so - Crawl web pages (by URL) and extract useful information
• crawlerip.so - Crawl web pages (by IP) and extract useful information
8. AFFECTED SYSTEMS...
• 1,400 Linux and FreeBSD servers around the world that have
compromised by the malware.
• Most of the compromised machines are located in the USA, Russia,
Germany and Canada.