MalwareMustDie

Last updated
MalwareMustDie
MalwareMustDie,NPO Official Logo.jpg
MalwareMustDie logo
AbbreviationMMD
FormationAugust 28, 2012;9 years ago (2012-08-28)
Type
Purpose
Headquarters Japan, Germany, France, United States
Region
Global
Membership
< 100
Website www.malwaremustdie.org

MalwareMustDie, NPO [1] [2] is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. [3] They have a list [4] of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware. [5]

MalwareMustDie is also known for their efforts in original analysis for a new emerged malware or botnet, sharing of their found malware source code [6] to the law enforcement and security industry, operations to dismantle several malicious infrastructure, [7] [8] technical analysis on specific malware's infection methods and reports for the cyber crime emerged toolkits.

Several notable internet threats that were first discovered and announced by MalwareMustDie are:

MalwareMustDie has also been active in analysis for client vector threat's vulnerability. For example, Adobe Flash CVE - 2013-0634 (LadyBoyle SWF exploit) [56] [57] and other undisclosed Adobe vulnerabilities in 2014 have received Security Acknowledgments for Independent Security Researchers from Adobe. [58] Another vulnerability researched by the team was reverse engineering a proof of concept for a backdoor case (CVE - 2016-6564) of one brand of Android phone device that was later found to affect 2 billion devices. [59]

Recent activity of the team still can be seen in several noted threat disclosures, for example, the "FHAPPI" state-sponsored malware attack, [60] the finding of first ARC processor malware, [61] [62] [63] and "Strudel" threat analysis (credential stealing scheme). [64] The team continues to post new Linux malware research on Twitter and their subreddit.

Related Research Articles

Denial-of-service attack Cyber attack disrupting service by overloading the provider of the service

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

Timeline of computer viruses and worms computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Zombie (computing) Network connected computer that has been compromised and is used for malicious task without the owner being aware of it

In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hacker. Zombie computers often coordinate together in a botnet controlled by the hacker, and are used for activities such as spreading e-mail spam and launching distributed denial-of-service attacks against web servers. Most victims are unaware that their computers have become zombies. The concept is similar to the zombie of Haitian Voodoo folklore, which refers to a corpse resurrected by a sorcerer via magic and is enslaved to the sorcerer's commands, having no free will of its own. A coordinated DDoS attack by multiple botnet machines also resembles a "zombie horde attack", as depicted in fictional zombie films.

Botnet Collection of compromised internet-connected devices controlled by a third party

A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013 its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

XOR DDoS is a Linux Trojan malware with rootkit capabilities that was used to launch large-scale DDoS attacks. Its name stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. It is built for multiple Linux architectures like ARM, x86 and x64. Noteworthy about XOR DDoS is the ability to hide itself with an embedded rootkit component which is obtained by multiple installation steps. It was discovered in September 2014 by MalwareMustDie, a white hat malware research group. From November 2014 it was involved in massive brute force campaign that lasted at least for three months.

Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

BASHLITE is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

DDoS attack on Dyn 2016 cyberattack in Europe and North America

The DDoS attack on Dyn was a series of distributed denial-of-service attacks on October 21, 2016, targeting systems operated by Domain Name System (DNS) provider Dyn. The attack caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America. The groups Anonymous and New World Hackers claimed responsibility for the attack, but scant evidence was provided.

Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system.

Linux.Wifatch

Linux.Wifatch is an open-source piece of malware which has been noted for not having been used for malicious actions, instead attempting to secure devices from other malware.

Linux Spike Trojan malware, more widely known as MrBlack, is a type of malware that infects routers, and eventually spreads to other routers. Incapsula, an internet security firm, first saw this malware in December 2014. This tool is prone to attack devices that still use the default credentials. A "bot" is a type of malware that allows an attacker to take control over an affected computer. Also known as "Web robots," bots are usually part of a network of infected machines, known as a "botnet," which is typically made up of victim machines that stretch across the globe.

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. In 2021 the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.

njRAT, also known as Bladabindi, is a remote access tool (RAT) or trojan which allows the holder of the program to control the end-user's computer. It was first found in June 2013 with some variants traced to November 2012. It was made by a hacking organization from different countries called Sparclyheason and was often used against targets in the Middle East. It can be spread through phishing and infected drives.

Hajime is a malware which appears to be similar to the Wifatch malware in that it appears to attempt to secure devices. Hajime is also far more advanced than Mirai, according to various researchers.

Hack Forums Internet forum

Hack Forums is an Internet forum dedicated to discussions related to hacker culture and computer security. The website ranks as the number one website in the "Hacking" category in terms of web-traffic by the analysis company Alexa Internet. The website has been widely reported as facilitating online criminal activity, such as the case of Zachary Shames, who was arrested for selling keylogging software on Hack Forums in 2013 which was used to steal personal information.

MikroTik

MikroTik is a Latvian network equipment manufacturer. The company develops and sells wired and wireless network routers, network switches, access points, as well as operating systems and auxiliary software. The company was founded in 1996 with the focus of selling equipment in emerging markets. As of August 2019, the company website reported an estimated 280 employees. In 2015, with a revenue of EUR 202M, Mikrotik was the 20th largest company in Latvia.

References

  1. Jorg Thoma (March 3, 2013). "Nachts nehmen wir Malware-Seiten hoch". Golem.de  [ de ]. Retrieved 3 March 2013.
  2. Darren Pauli (September 12, 2013). "The rise of the whitehats". IT News. Retrieved 12 September 2013.
  3. "MalwareMustDie! · MMD Malware Research Blog". blog.malwaremustdie.org.
  4. unixfreaxjp (November 22, 2016). "Linux Malware Research List Updated". MalwareMustDie. Retrieved 22 November 2016.
  5. Emiliano Martinez (November 11, 2014). "virustotal += Detailed ELF information". Virus Total . Retrieved 11 November 2014.
  6. Ram Kumar (June 4, 2013). "Ransomware, IRC Worm, Zeus, Botnets source codes shared in Germany Torrent". E Hacking News. Retrieved 4 June 2013.
  7. Catalin Cimpanu (June 24, 2016). "Ukrainian Group May Be Behind New DELoader Malware". Softpedia . Retrieved 24 June 2016.
  8. UnderNews Actu (July 27, 2013). "Malware Must Die : Operation Tango Down - sur des sites russes malveillants". undernews.fr. Retrieved 27 July 2013.
  9. Dan Goodin (January 7, 2014). "Researchers warn of new, meaner ransomware with unbreakable crypto". Ars Technica . Retrieved 7 January 2014.
  10. Ionut Ilascu (October 10, 2014). "Mayhem Botnet Relies on Shellshock Exploit to Expand". Softpedia . Retrieved 10 October 2014.
  11. Michael Mimoso (October 9, 2014). "Shellshock Exploits Spreading Mayhem Botnet Malware". Threat Post. Retrieved 9 October 2014.
  12. Michael Mimoso (August 28, 2013). "Kelihos Relying on CBL Blacklists to Evaluate New Bots". Threat Post. Retrieved 28 August 2013.
  13. Eduard Kovacs (November 13, 2013). "Second Version of Hlux/Kelihos Botnet". Softpedia . Retrieved 13 November 2013.
  14. Ionut Ilascu (July 6, 2015). "Infections with ZeusVM Banking Malware Expected to Spike As Building Kit Is Leaked". Softpedia . Retrieved 6 July 2015.
  15. Info Security Magazine (April 5, 2013). "Darkleech infects 20,000 websites in just a few weeks". www.infosecurity-magazine.com. Retrieved 5 April 2013.
  16. Brian Prince (August 19, 2013). "CookieBomb Attacks Compromise Legitimate Sites". www.securityweek.com. Retrieved 19 August 2013.
  17. njccic (December 28, 2016). "Mirai Botnet". The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). Retrieved 28 December 2016.
  18. Odisseus (September 5, 2016). "Linux/Mirai ELF, when malware is recycled could be still dangerous". www.securityaffairs.co. Retrieved 5 September 2016.
  19. Allan Tan (December 12, 2014). "Bots-powered DDOS looms large over Asia's banks". www.enterpriseinnovation.net. Retrieved 12 December 2014.
  20. Johannes B. Ullrich, Ph.D. (October 3, 2016). "The Short Life of a Vulnerable DVR Connected to the Internet". www.isc.sans.edu. Retrieved 3 October 2016.
  21. Catalin Cimpanu (September 5, 2016). "LuaBot Is the First DDoS Malware Coded in Lua Targeting Linux Platforms". Softpedia . Retrieved 5 September 2016.
  22. Catalin Cimpanu (September 17, 2016). "LuaBot Author Says His Malware Is "Not Harmful"". Softpedia . Retrieved 17 September 2016.
  23. David Bisson (October 17, 2016). "NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware". Graham Cluley . Retrieved 17 October 2016.
  24. Catalin Cimpanu (October 14, 2016). "A New Linux Trojan Called NyaDrop Threatens the IoT Landscape". Softpedia . Retrieved 14 October 2016.
  25. Charlie Osborne (November 1, 2016). "Hackers release new malware into the wild for Mirai botnet successor". ZDNET . Retrieved 1 November 2016.
  26. Ken Briodagh (November 1, 2016). "Security Blogger Identifies Next IoT Vulnerability, This Time on Linux OS". www.iotevolutionworld.com. Retrieved 1 November 2016.
  27. John Leyden (October 31, 2016). "A successor to Mirai? Newly discovered malware aims to create fresh IoT botnet". The Register . Retrieved 31 October 2016.
  28. Liam Tung (September 25, 2014). "First attacks using shellshock Bash bug discovered". ZDNet . Retrieved 25 September 2014.
  29. John Leyden (September 9, 2014). "Use home networking kit? DDoS bot is BACK... and it has EVOLVED". The Register . Retrieved 9 September 2014.
  30. Pierluigi Paganini (August 25, 2016). "Linux.PNScan Trojan is back to compromise routers and install backdoors". securityaffairs.co. Retrieved 25 August 2016.
  31. SecurityWeek News (August 24, 2016). "Linux Trojan Brute Forces Routers to Install Backdoors". www.securityweek.com. Retrieved 24 August 2016.
  32. Catalin Cimpanu (August 25, 2016). "PNScan Linux Trojan Resurfaces with New Attacks Targeting Routers in India". Softpedia . Retrieved 25 August 2016.
  33. John Leyden (March 30, 2016). "Infosec miscreants are peddling malware that will KO your router". The Register . Retrieved 30 March 2016.
  34. Steve Ragan (February 22, 2016). "Linux Mint hacked: Compromised data up for sale, ISO downloads backdoored (with Kaiten)". CSO Online . Retrieved 22 February 2016.
  35. Ionut Ilascu (April 9, 2015). "Group Uses over 300,000 Unique Passwords in SSH Log-In Brute-Force Attacks". Softpedia . Retrieved 9 April 2015.
  36. Lucian Constantin (February 6, 2015). "Sneaky Linux malware comes with sophisticated custom-built rootkit". PC World . Retrieved 6 February 2015.
  37. Liam Tung (September 30, 2015). "Linux-powered botnet generates giant denial-of-service attacks". ZDNet . Retrieved 30 September 2015.
  38. Jorg Thoma (September 4, 2014). "DDoS-Malware auf Linux-Servern entdeckt". Golem.de  [ de ]. Retrieved 4 September 2014.
  39. Catalin Cimpanu (January 6, 2016). "Windows and Linux Malware Linked to Chinese DDoS Tool". Softpedia . Retrieved 6 January 2016.
  40. Emerging Threat (June 25, 2014). "Proofpoint Emerging Threat Daily Ruleset Update Summary 2015/06/25". Proofpoint . Retrieved 25 June 2015.
  41. Pierluigi Paganini, Odisseus and Unixfreaxjp (February 9, 2019). "Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem". www.securityaffairs.co. Retrieved February 9, 2019.
  42. Paul Scott (February 3, 2019). "Tragedy strikes! Cayosin Botnet combines Qbot and Mirai to cause Erradic behavior". perchsecurity.com. Retrieved February 3, 2019.
  43. Curtis Franklin Jr. (February 4, 2019). "New Botnet Shows Evolution of Tech and Criminal Culture". www.darkreading.com. Retrieved February 4, 2019.
  44. Pierluigi Paganini, Odisseus (April 2, 2019). "BREAKING: new update about DDoS'er Linux/DDoSMan ELF malware based on Elknot". www.securityaffairs.co. Retrieved April 2, 2019.
  45. Cyware (April 1, 2019). "New Linux/DDosMan threat emerged from an evolution of the older Elknot". www.cyware.com. Retrieved April 1, 2019.
  46. SOC Prime (April 1, 2019). "Chinese ELF Prepares New DDoS Attacks". www.socprime.com. Retrieved April 1, 2019.
  47. Pierluigi Paganini (September 30, 2019). "Analysis of a new IoT malware dubbed Linux/AirDropBot". Security Affairs. Retrieved September 30, 2019.
  48. Adm1n (October 10, 2019). "IoT Malware Linux/AirDropBot – What Found Out". October 10, 2019. Retrieved October 10, 2019.
  49. MalBot (October 1, 2019). "Linux AirDropBot Samles". Malware News. Retrieved October 1, 2019.
  50. Brittany Day (April 3, 2020). "Linux Malware: The Truth About This Growing Threat". Linux Security. Retrieved April 3, 2020.
  51. Pierluigi Paganini (February 26, 2020). "Fbot re-emerged, the backstage". Security Affairs. Retrieved February 26, 2020.
  52. Patrice Auffret (March 4, 2020). "Analyzing Mirai-FBot infected devices found by MalwareMustDie". ONYPHE - Your Internet SIEM. Retrieved March 4, 2020.
  53. Silviu Stahie (May 7, 2020). "New Kaiji Botnet Malware Targets IoT, But 'New' Doesn't Mean 'Undetectable'". Security Boulevard. Retrieved May 7, 2020.
  54. Carlton Peterson (May 6, 2020). "Researchers Find New Kaiji Botnet Targeting IoT, Linux Devices". Semi Conductors Industry. Retrieved May 7, 2020.
  55. Catalin Cimpanu (May 5, 2020). "New Kaiji malware targets IoT devices via SSH brute-force attacks". ZDNet. Retrieved May 7, 2020.
  56. Boris Ryutin, Juan Vazquaez (July 17, 2013). "Adobe Flash Player Regular Expression Heap Overflow CVE-2013-0634". Rapid7 . Retrieved 17 July 2013.
  57. WoW on Zataz.com (February 10, 2013). "Gondad Exploit Pack Add Flash CVE-2013-0634 Support". Eric Romang Blog at zataz.com. Retrieved 10 February 2013.
  58. Adobe team (February 1, 2014). "Adobe.com Security Acknowledgments (2014)". Adobe.com . Retrieved 1 February 2014.
  59. Jeremy Kirk (November 21, 2016). "More Dodgy Firmware Found on Android Devices". www.bankinfosecurity.com. Retrieved 21 November 2015.
  60. Pierluigi Paganini (March 21, 2017). "Dirty Political Spying Attempt behind the FHAPPI Campaign". securityaffairs.co. Retrieved 21 March 2017.
  61. Mrs. Smith (January 15, 2018). "Mirai Okiru: New DDoS botnet targets ARC-based IoT devices". CSO Online . Retrieved 15 January 2018.
  62. Mohit Kumar (January 15, 2018). "New Mirai Okiru Botnet targets devices running widely-used ARC Processors". Hacker News . Retrieved 15 January 2018.
  63. John Leyden (January 16, 2018). "New Mirai botnet species 'Okiru' hunts for ARC-based kit". The Register . Retrieved 16 January 2018.
  64. Francesco Bussoletti (February 11, 2019). "Cybercrime launched a mass credential harvesting process, leveraging an IoT botnet". www.difesaesicurezza.com. Retrieved 11 February 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.