SlideShare una empresa de Scribd logo

Mayhem malware

Descargar como PPTX, PDF
Akash Deep
Akash Deep
1 de 9
MAYHEM MALWARE Presented by: AKASH DEEP REG NO-1731310017 MTECH ISCF 2ND YEAR
INTRODUCTION • Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. • Mayhem’ – new piece of malware that is being used to target Linux and FreeBSD web servers in order to make them a part of the wide botnet, even without the need of any root privileges. • A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. • Targets to infect only those machines which are not updated with security patches. • The infection of websites and even entire web servers has become common. • Mayhem is a multi-purpose modular bot for web servers.
WORKING • After execution, the script kills all ‘/usr/bin/host’ processes, identifies the system architecture (x64 or x86) and system type (Linux or FreeBSD), and drops a malicious shared object named ‘libworker.so’. The script also defines a variable ‘AU’, which contains the full URL of the script being executed. • The PHP dropper creates a shell script named ‘1.sh’. Besides all of this, the script also creates the environment variable ‘AU’, which is the same as the one defined in the PHP script. • PHP dropper executes the shell script by running the command ‘at now -f 1.sh’. • The dropper waits for at most five seconds, then deletes the corresponding cron task.
MAIN LOOP FUNCTION
HIDDEN FILE SYSTEM • The malware uses a hidden file system to store its files. • The filename of the hidden file system is defined in the configuration, but its name is usually ‘.sd0’ • The hidden file system is used to store plug-ins and files with strings to process: lists of URLs, usernames, passwords. • None of which were detected by the VirusTotal malware scanning tool.
SPREAD BY PLUGINS • Communication of the system is established with the command and control servers, which can send the malware different instructions. • Its functions can be expanded through plugins and at the moment some eight plugins have been discovered- • rfiscan.so - Find websites that contain a remote file inclusion (RFI) vulnerability • wpenum.so - Enumerate users of WordPress sites • cmsurls.so - Identify user login pages in sites based on the WordPress CMS • bruteforce.so - Brute force passwords for sites based on the WordPress and Joomla CMSs • bruteforceng.so - Brute force passwords for almost any login page • ftpbrute.so - Brute force FTP accounts • crawlerng.so - Crawl web pages (by URL) and extract useful information • crawlerip.so - Crawl web pages (by IP) and extract useful information
AFFECTED SYSTEMS... • 1,400 Linux and FreeBSD servers around the world that have compromised by the malware. • Most of the compromised machines are located in the USA, Russia, Germany and Canada.
Mayhem malware

Recomendados

Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...
webhostingguy
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
Mohammad Mafi
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Micah Hoffman
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
Mohamed Gad
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
Micah Hoffman
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
Amr Ali
 
Top ten OSS products cutting out costs and making a difference in the public ...
Top ten OSS products cutting out costs and making a difference in the public ...Top ten OSS products cutting out costs and making a difference in the public ...
Top ten OSS products cutting out costs and making a difference in the public ...
Ubertas
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 

Recomendados

Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...
webhostingguy
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
Mohammad Mafi
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Micah Hoffman
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
Mohamed Gad
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
Micah Hoffman
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
Amr Ali
 
Top ten OSS products cutting out costs and making a difference in the public ...
Top ten OSS products cutting out costs and making a difference in the public ...Top ten OSS products cutting out costs and making a difference in the public ...
Top ten OSS products cutting out costs and making a difference in the public ...
Ubertas
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
Apache
ApacheApache
Apache
Fathima Ashraf
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
Gregory Hanis
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
Michael Boman
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
Nitish Kumar
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
DefensiveDepth
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
webhostingguy
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Empowerment
EmpowermentEmpowerment
Empowerment
jessmardeofiles
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Burp suite
Burp suiteBurp suite
Burp suite
penetration Tester
 
CNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: EnumerationCNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: Enumeration
Sam Bowne
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
bsidesaugusta
 
nessus
nessusnessus
nessus
Muhammad Yasin
 
Lta survey draft
Lta survey draftLta survey draft
Lta survey draft
Akym_4
 
My personal learning style haugen cassie_cis_pptx
My personal learning style haugen cassie_cis_pptxMy personal learning style haugen cassie_cis_pptx
My personal learning style haugen cassie_cis_pptx
cmhaugen2
 
Questionaire
QuestionaireQuestionaire
Questionaire
kmoore7
 

Más contenido relacionado

La actualidad más candente

Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
webhostingguy
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
bsidesaugusta
 

La actualidad más candente (19)

Apache
ApacheApache
Apache
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Empowerment
EmpowermentEmpowerment
Empowerment
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
Burp suite
Burp suiteBurp suite
Burp suite
 
CNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: EnumerationCNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: Enumeration
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
 
nessus
nessusnessus
nessus
 

Destacado

Lta survey draft
Lta survey draftLta survey draft
Lta survey draft
Akym_4
 
My personal learning style haugen cassie_cis_pptx
My personal learning style haugen cassie_cis_pptxMy personal learning style haugen cassie_cis_pptx
My personal learning style haugen cassie_cis_pptx
cmhaugen2
 
Questionaire
QuestionaireQuestionaire
Questionaire
kmoore7
 
Kolb mpleting the kolb learning styles questionnaire
Kolb mpleting the kolb learning styles questionnaireKolb mpleting the kolb learning styles questionnaire
Kolb mpleting the kolb learning styles questionnaire
tjcarter
 
Questionaire finbal version
Questionaire finbal versionQuestionaire finbal version
Questionaire finbal version
a2media15d
 
Esc cdl 4
Esc cdl 4 Esc cdl 4
Esc cdl 4
guest78eae
 

Destacado (8)

Lta survey draft
Lta survey draftLta survey draft
Lta survey draft
 
My personal learning style haugen cassie_cis_pptx
My personal learning style haugen cassie_cis_pptxMy personal learning style haugen cassie_cis_pptx
My personal learning style haugen cassie_cis_pptx
 
Questionaire
QuestionaireQuestionaire
Questionaire
 
Evaluation reports (1)
Evaluation reports (1)Evaluation reports (1)
Evaluation reports (1)
 
Kolb mpleting the kolb learning styles questionnaire
Kolb mpleting the kolb learning styles questionnaireKolb mpleting the kolb learning styles questionnaire
Kolb mpleting the kolb learning styles questionnaire
 
Questionaire finbal version
Questionaire finbal versionQuestionaire finbal version
Questionaire finbal version
 
Esc cdl 4
Esc cdl 4 Esc cdl 4
Esc cdl 4
 
Sample Questionnaire
Sample QuestionnaireSample Questionnaire
Sample Questionnaire
 

Similar a Mayhem malware

Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
webhostingguy
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
Natraj G
 

Similar a Mayhem malware (20)

Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware Behavior
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
formation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .pptformation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .ppt
 
virusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.pptvirusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.ppt
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Virus vs worms vs trojans
Virus vs worms vs trojansVirus vs worms vs trojans
Virus vs worms vs trojans
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
 

Mayhem malware

  • 1. MAYHEM MALWARE Presented by: AKASH DEEP REG NO-1731310017 MTECH ISCF 2ND YEAR
  • 2. INTRODUCTION • Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. • Mayhem’ – new piece of malware that is being used to target Linux and FreeBSD web servers in order to make them a part of the wide botnet, even without the need of any root privileges. • A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. • Targets to infect only those machines which are not updated with security patches. • The infection of websites and even entire web servers has become common. • Mayhem is a multi-purpose modular bot for web servers.
  • 3. WORKING • After execution, the script kills all ‘/usr/bin/host’ processes, identifies the system architecture (x64 or x86) and system type (Linux or FreeBSD), and drops a malicious shared object named ‘libworker.so’. The script also defines a variable ‘AU’, which contains the full URL of the script being executed. • The PHP dropper creates a shell script named ‘1.sh’. Besides all of this, the script also creates the environment variable ‘AU’, which is the same as the one defined in the PHP script. • PHP dropper executes the shell script by running the command ‘at now -f 1.sh’. • The dropper waits for at most five seconds, then deletes the corresponding cron task.
  • 4.
  • 6. HIDDEN FILE SYSTEM • The malware uses a hidden file system to store its files. • The filename of the hidden file system is defined in the configuration, but its name is usually ‘.sd0’ • The hidden file system is used to store plug-ins and files with strings to process: lists of URLs, usernames, passwords. • None of which were detected by the VirusTotal malware scanning tool.
  • 7. SPREAD BY PLUGINS • Communication of the system is established with the command and control servers, which can send the malware different instructions. • Its functions can be expanded through plugins and at the moment some eight plugins have been discovered- • rfiscan.so - Find websites that contain a remote file inclusion (RFI) vulnerability • wpenum.so - Enumerate users of WordPress sites • cmsurls.so - Identify user login pages in sites based on the WordPress CMS • bruteforce.so - Brute force passwords for sites based on the WordPress and Joomla CMSs • bruteforceng.so - Brute force passwords for almost any login page • ftpbrute.so - Brute force FTP accounts • crawlerng.so - Crawl web pages (by URL) and extract useful information • crawlerip.so - Crawl web pages (by IP) and extract useful information
  • 8. AFFECTED SYSTEMS... • 1,400 Linux and FreeBSD servers around the world that have compromised by the malware. • Most of the compromised machines are located in the USA, Russia, Germany and Canada.