Threat Database Botnets Mayhem Botnet

Mayhem Botnet

By GoldSparrow in Botnets

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 4
First Seen: February 12, 2015
Last Seen: October 18, 2020
OS(es) Affected: Windows

The Mayhem Botnet is spreading using Shellshock exploits as well as several other vulnerabilities. These types of attacks have gained notoriety because they have been used to target Linux and Unix servers with various threatening Trojan infections that are being used to distribute other types of threats. Shellshock vulnerabilities have resulted in exploits of the Bash command-line interpreter in order to distribute Mayhem, a threat that integrates infected computers into the Mayhem Botnet, responsible for numerous high-level threat attacks.

The Use of Strong Passwords may Prevent the Mayhem Botnet from Accessing a PC

The Mayhem Botnet was discovered and analyzed in early 2015 by Russian researchers. The Mayhem Botnet is installed using a PHP script that is uploaded to the targeted server using compromised FTP passwords and brute force in order to obtain administrator credentials or vulnerabilities in the targeted websites. Because of this, it is still of the utmost importance that server administrators protect their servers using strong passwords that cannot be cracked using brute force. Weak passwords are among the most common causes for distribution of server-targeting threats like the Mayhem Botnet.

The main component linked to the Mayhem Botnet is a threatening ELF (Executable Linkable Format) library file that downloads and hides other plug-ins once the Mayhem Botnet is installed. This threatening file uses a hidden and encrypted file system to store its data, making it difficult to find them if one does not know that they are there. These plug-ins allow third parties to take over the infected server in order to attack other websites. In recent attacks, third parties have used the compromised Web servers to inject corrupted advertisements and other threats on websites hosted on the affected server. Other problems that have been linked to these attacks may include redirects to compromised websites containing exploits to deliver threats.

The Mayhem Botnet Represents a Coordinated Effort to Target Linux Servers

It is believed that the Mayhem Botnet consisted of about 1,400 infected computers as of Summer of 2014, although this number has probably increased. In that analysis, at least two separate Command and Control servers had been associated with the Mayhem Botnet. New vulnerabilities and exploits are added to the Mayhem Botnet arsenal constantly. The most recent addition to the Mayhem Botnet's bag of tricks is the use of Shellshock exploits. Shellshock is used to refer to vulnerabilities in the Linux Bash command line interpreter that, when exploited, may be used to execute code on the infected computer remotely. The Mayhem Botnet is currently engaged in expanding its numbers. First the Mayhem Botnet probes Web servers to determine whether they can be attacked using Shellshock attacks, and then (if they are), the attack is deployed using threatening scripts.

Facing the Mayhem Botnet and Its Attacks

Fortunately, most vulnerabilities associated with the Mayhem Botnet have been patched. Unfortunately, many Web servers are still without this update, meaning that they remain vulnerable to these attacks. One important step to stopping these types of attacks is realizing that, contrary to popular belief, Linux and Unix are not threat-proof. In fact, threats targeting these systems are more threatening than most because it is relatively unexpected and that the infrastructure to protect computers from these types of threats may not be in place. The practice of targeting servers is especially worrying because a single infected server may infect thousands of visitors' computers and compromise many different domains on it. Server administrators can protect themselves and others principally by using strong passwords and taking all the steps necessary to ensure that their servers are impervious to attacks. Computer users can protect themselves from compromised servers by using strong anti-malware software that is fully up-to-date, a firewall and real-time threat protection that can intercept threats before they are installed.


Most Viewed