A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down.
"There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots," researchers from security firm Eset wrote in a blog post published Thursday. "If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn’t work) was used to break the protection."
In the months following Eset's discovery of Mumblehard in late 2014, company researchers worked with Estonian law enforcement and an industry partner to shut down the botnet. In February of this year, the group took control of the Internet address belonging to the command server, making it possible for researchers to "sinkhole" the botnet. Rather than connecting to the attackers' control server, the infected machines connected to benign machines operated by the takedown participants. By analyzing the incoming traffic, they estimated that about 4,000 computers were infected.
Researchers still don't know how Mumblehard was able to initially take hold of its victims. Initially, researchers suspected that the malware exploited vulnerabilities in content management systems such as WordPress, or the many plug-ins that are associated with them. Analysis of the control server revealed this theory was incorrect, however. The number of machines reporting to the sinkholed server has been slowly dropping as compromised systems are disinfected.