• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
mayhem malware server botnet blog header

Mayhem Malware Server Botnet Continues to Evolve

October 12, 2017Jose MartinezEspanolPortugues

41
SHARES
FacebookTwitterSubscribe

Three years ago, researchers at Yandex discovered a complex server infection, dubbed Mayhem, that embeds itself deep within a system by compiling a shared object and running as a service. This also allows the malware to operate under restricted privileges, and is difficult to clean up effectively – even if an infected site gets restored from a backup, the malware would still be there.

Mayhem is essentially a malicious bot for web servers. There are several commands that can be sent from a C&C (command and control center) and tools stored in a hidden file system that exploit website vulnerabilities, enumerate users, and attempt to brute-force logins.

During an Incident Response investigation, we found that the Mayhem malware family is still in the wild and so we wanted to point out a few changes.

Server Architecture Detection

This malware targets both x32 & x64 architectures, and chooses the correct shared object version to load depending on the current system’s architecture as you can see below:

$arch = 64;
if (intval("9223372036854775807") == 2147483647)
$arch = 32;
$so = $arch == 32 ? $so32 : $so64;

Although the original malware also had a method for detecting architecture and system type, the methods used have been updated, and the malicious shared object being dropped has been changed – likely to avoid detection by monitoring tools.

Changes to Shared Object

The next piece of code is responsible for copying and starting the malware.

Unlike the original samples from 2014, there is no reference to the MAYHEM_DEBUG system variable anymore.

Also, the shared object name was changed from libworker.so to jquery.so – following a growing trend of fake jQuery being used as a method of diversion.

Conclusion

This kind of malware represents how malware authors are increasingly seeing web servers as a popular target. As discussed in the original article, web servers are more powerful than personal computers and often have fewer antimalware controls in place. As malware campaigns like this continue to evolve, there needs to be action taken by service providers and system administrators to better monitor and protect their environments.

To prevent attacks that exploit vulnerabilities in your website software and stop brute force attacks, we suggest using a Web Application Firewall (WAF).

41
SHARES
FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Botnet, Server Security, Webserver Infections

About Jose Martinez

Jose is a Security Researcher at Sucuri. He enjoys coding tools that group malware with similar characteristics for improving detection. He spends his free time with his family.

Reader Interactions

Comments

  1. Benjamin Miskie

    October 12, 2017

    Suggestions on how to detect infection…?

  2. Dale VMF

    October 12, 2017

    Insightful Jose, thank you 🙂

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.