MalwareMustDie
MalwareMustDie, NPO[1][2] as a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered Nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog.[3] They have a list[4] of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.[5]
MalwareMustDie logo | |
Abbreviation | MMD |
---|---|
Formation | August 28, 2012 |
Type | |
Purpose |
|
Headquarters | Japan, Germany, France, United States |
Region | Global |
Membership | < 100 |
Website | www |
MalwareMustDie is also known for their efforts in original analysis for a new emerged malware or botnet, sharing of their found malware source code[6] to the law enforcement and security industry, operations to dismantle several malicious infrastructure,[7][8] technical analysis on specific malware's infection methods and reports for the cyber crime emerged toolkits.
Several notable internet threats that were first discovered and announced by MalwareMustDie are:
- Prison Locker[9] (ransomware)
- Mayhem[10][11] (Linux botnet)
- Kelihos botnet v2[12][13]
- ZeusVM[14]
- Darkleech botnet analysis[15]
- KINS (Crime Toolkit)
- Cookie Bomb[16] (malicious PHP traffic redirection)
- Mirai[17][18][19][20]
- LuaBot[21][22]
- NyaDrop[23][24]
- NewAidra or IRCTelnet[25][26][27]
- Torlus aka Gafgyt/Lizkebab/Bashdoor/Qbot/BASHLITE)[28]
- LightAidra [29]
- PNScan[30][31][32]
- STD Bot
- Kaiten[33][34] botnets (Linux DDoS or malicious proxy botnet Linux malware)
- ChinaZ (China DDoS Trojan)
- Xor DDoS[35][36][37] (China DDoS Trojan)
- IpTablesx[38] (China DDoS Trojan)
- DDoSTF[39] (China DDoS Trojan)
- DESDownloader[40] (China DDoS Trojan)
- Cayosin DDoS botnet[41][42][43]
- DDoSMan[44][45][46] (China DDoS Trojan)
- AirDropBot DDoS botnet[47][48][49]
- Mirai FBot DDoS botnet[50][51][52]
- Kaiji IoT DDoS/bruter botnet[53][54][55]
MalwareMustDie has also been active in analysis for client vector threat's vulnerability. For example, Adobe Flash CVE-2013-0634 (LadyBoyle SWF exploit)[56][57] and other undisclosed Adobe vulnerabilities in 2014 have received Security Acknowledgments for Independent Security Researchers from Adobe.[58] Another vulnerability researched by the team was reverse engineering a proof of concept for a backdoor case (CVE-2016-6564) of one brand of Android phone device that was later found to affect 2 billion devices.[59]
Recent activity of the team still can be seen in several noted threat disclosures, for example, the "FHAPPI" state-sponsored malware attack,[60] the finding of first ARC processor malware,[61][62][63] and "Strudel" threat analysis (credential stealing scheme). [64] The team continues to post new Linux malware research on Twitter and their subreddit.
References
- Jorg Thoma (March 3, 2013). "Nachts nehmen wir Malware-Seiten hoch". Golem.de. Retrieved 3 March 2013.
- Darren Pauli (September 12, 2013). "The rise of the whitehats". IT News. Retrieved 12 September 2013.
- "MalwareMustDie! · MMD Malware Research Blog". blog.malwaremustdie.org.
- unixfreaxjp (November 22, 2016). "Linux Malware Research List Updated". MalwareMustDie. Retrieved 22 November 2016.
- Emiliano Martinez (November 11, 2014). "virustotal += Detailed ELF information". Virus Total. Retrieved 11 November 2014.
- Ram Kumar (June 4, 2013). "Ransomware, IRC Worm, Zeus, Botnets source codes shared in Germany Torrent". E Hacking News. Retrieved 4 June 2013.
- Catalin Cimpanu (June 24, 2016). "Ukrainian Group May Be Behind New DELoader Malware". Softpedia. Retrieved 24 June 2016.
- UnderNews Actu (July 27, 2013). "Malware Must Die : Operation Tango Down - sur des sites russes malveillants". undernews.fr. Retrieved 27 July 2013.
- Dan Goodin (January 7, 2014). "Researchers warn of new, meaner ransomware with unbreakable crypto". Ars Technica. Retrieved 7 January 2014.
- Ionut Ilascu (October 10, 2014). "Mayhem Botnet Relies on Shellshock Exploit to Expand". Softpedia. Retrieved 10 October 2014.
- Michael Mimoso (October 9, 2014). "Shellshock Exploits Spreading Mayhem Botnet Malware". Threat Post. Retrieved 9 October 2014.
- Michael Mimoso (August 28, 2013). "Kelihos Relying on CBL Blacklists to Evaluate New Bots". Threat Post. Retrieved 28 August 2013.
- Eduard Kovacs (November 13, 2013). "Second Version of Hlux/Kelihos Botnet". Softpedia. Retrieved 13 November 2013.
- Ionut Ilascu (July 6, 2015). "Infections with ZeusVM Banking Malware Expected to Spike As Building Kit Is Leaked". Softpedia. Retrieved 6 July 2015.
- Info Security Magazine (April 5, 2013). "Darkleech infects 20,000 websites in just a few weeks". www.infosecurity-magazine.com. Retrieved 5 April 2013.
- Brian Prince (August 19, 2013). "CookieBomb Attacks Compromise Legitimate Sites". www.securityweek.com. Retrieved 19 August 2013.
- njccic (December 28, 2016). "Mirai Botnet". The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). Retrieved 28 December 2016.
- Odisseus (September 5, 2016). "Linux/Mirai ELF, when malware is recycled could be still dangerous". www.securityaffairs.co. Retrieved 5 September 2016.
- Allan Tan (December 12, 2014). "Bots-powered DDOS looms large over Asia's banks". www.enterpriseinnovation.net. Retrieved 12 December 2014.
- Johannes B. Ullrich, Ph.D. (October 3, 2016). "The Short Life of a Vulnerable DVR Connected to the Internet". www.isc.sans.edu. Retrieved 3 October 2016.
- Catalin Cimpanu (September 5, 2016). "LuaBot Is the First DDoS Malware Coded in Lua Targeting Linux Platforms". Softpedia. Retrieved 5 September 2016.
- Catalin Cimpanu (September 17, 2016). "LuaBot Author Says His Malware Is "Not Harmful"". Softpedia. Retrieved 17 September 2016.
- David Bisson (October 17, 2016). "NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware". Graham Cluley. Retrieved 17 October 2016.
- Catalin Cimpanu (October 14, 2016). "A New Linux Trojan Called NyaDrop Threatens the IoT Landscape". Softpedia. Retrieved 14 October 2016.
- Charlie Osborne (November 1, 2016). "Hackers release new malware into the wild for Mirai botnet successor". ZDNET. Retrieved 1 November 2016.
- Ken Briodagh (November 1, 2016). "Security Blogger Identifies Next IoT Vulnerability, This Time on Linux OS". www.iotevolutionworld.com. Retrieved 1 November 2016.
- John Leyden (October 31, 2016). "A successor to Mirai? Newly discovered malware aims to create fresh IoT botnet". The Register. Retrieved 31 October 2016.
- Liam Tung (September 25, 2014). "First attacks using shellshock Bash bug discovered". ZDNet. Retrieved 25 September 2014.
- John Leyden (September 9, 2014). "Use home networking kit? DDoS bot is BACK... and it has EVOLVED". The Register. Retrieved 9 September 2014.
- Pierluigi Paganini (August 25, 2016). "Linux.PNScan Trojan is back to compromise routers and install backdoors". securityaffairs.co. Retrieved 25 August 2016.
- SecurityWeek News (August 24, 2016). "Linux Trojan Brute Forces Routers to Install Backdoors". www.securityweek.com. Retrieved 24 August 2016.
- Catalin Cimpanu (August 25, 2016). "PNScan Linux Trojan Resurfaces with New Attacks Targeting Routers in India". Softpedia. Retrieved 25 August 2016.
- John Leyden (March 30, 2016). "Infosec miscreants are peddling malware that will KO your router". The Register. Retrieved 30 March 2016.
- Steve Ragan (February 22, 2016). "Linux Mint hacked: Compromised data up for sale, ISO downloads backdoored (with Kaiten)". CSO Online. Retrieved 22 February 2016.
- Ionut Ilascu (April 9, 2015). "Group Uses over 300,000 Unique Passwords in SSH Log-In Brute-Force Attacks". Softpedia. Retrieved 9 April 2015.
- Lucian Constantin (February 6, 2015). "Sneaky Linux malware comes with sophisticated custom-built rootkit". PC World. Retrieved 6 February 2015.
- Liam Tung (September 30, 2015). "Linux-powered botnet generates giant denial-of-service attacks". ZDNet. Retrieved 30 September 2015.
- Jorg Thoma (September 4, 2014). "DDoS-Malware auf Linux-Servern entdeckt". Golem.de. Retrieved 4 September 2014.
- Catalin Cimpanu (January 6, 2016). "Windows and Linux Malware Linked to Chinese DDoS Tool". Softpedia. Retrieved 6 January 2016.
- Emerging Threat (June 25, 2014). "Proofpoint Emerging Threat Daily Ruleset Update Summary 2015/06/25". Proofpoint. Retrieved 25 June 2015.
- Pierluigi Paganini, Odisseus and Unixfreaxjp (February 9, 2019). "Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem". www.securityaffairs.co. Retrieved February 9, 2019.
- Paul Scott (February 3, 2019). "Tragedy strikes! Cayosin Botnet combines Qbot and Mirai to cause Erradic behavior". perchsecurity.com. Retrieved February 3, 2019.
- Curtis Franklin Jr. (February 4, 2019). "New Botnet Shows Evolution of Tech and Criminal Culture". www.darkreading.com. Retrieved February 4, 2019.
- Pierluigi Paganini, Odisseus (April 2, 2019). "BREAKING: new update about DDoS'er Linux/DDoSMan ELF malware based on Elknot". www.securityaffairs.co. Retrieved April 2, 2019.
- Cyware (April 1, 2019). "New Linux/DDosMan threat emerged from an evolution of the older Elknot". www.cyware.com. Retrieved April 1, 2019.
- SOC Prime (April 1, 2019). "Chinese ELF Prepares New DDoS Attacks". www.socprime.com. Retrieved April 1, 2019.
- Pierluigi Paganini (September 30, 2019). "Analysis of a new IoT malware dubbed Linux/AirDropBot". Security Affairs. Retrieved September 30, 2019.
- Adm1n (October 10, 2019). "IoT Malware Linux/AirDropBot – What Found Out". October 10, 2019. Retrieved October 10, 2019.
- MalBot (October 1, 2019). "Linux AirDropBot Samles". Malware News. Retrieved October 1, 2019.
- Brittany Day (April 3, 2020). "Linux Malware: The Truth About This Growing Threat". Linux Security. Retrieved April 3, 2020.
- Pierluigi Paganini (February 26, 2020). "Fbot re-emerged, the backstage". Security Affairs. Retrieved February 26, 2020.
- Patrice Auffret (March 4, 2020). "Analyzing Mirai-FBot infected devices found by MalwareMustDie". ONYPHE - Your Internet SIEM. Retrieved March 4, 2020.
- Silviu Stahie (May 7, 2020). "New Kaiji Botnet Malware Targets IoT, But 'New' Doesn't Mean 'Undetectable'". Security Boulevard. Retrieved May 7, 2020.
- Carlton Peterson (May 6, 2020). "Researchers Find New Kaiji Botnet Targeting IoT, Linux Devices". Semi Conductors Industry. Retrieved May 7, 2020.
- Catalin Cimpanu (May 5, 2020). "New Kaiji malware targets IoT devices via SSH brute-force attacks". ZDNet. Retrieved May 7, 2020.
- Boris Ryutin, Juan Vazquaez (July 17, 2013). "Adobe Flash Player Regular Expression Heap Overflow CVE-2013-0634". Rapid7. Retrieved 17 July 2013.
- WoW on Zataz.com (February 10, 2013). "Gondad Exploit Pack Add Flash CVE-2013-0634 Support". Eric Romang Blog at zataz.com. Retrieved 10 February 2013.
- Adobe team (February 1, 2014). "Adobe.com Security Acknowledgments (2014)". Adobe.com. Retrieved 1 February 2014.
- Jeremy Kirk (November 21, 2016). "More Dodgy Firmware Found on Android Devices". www.bankinfosecurity.com. Retrieved 21 November 2015.
- Pierluigi Paganini (March 21, 2017). "Dirty Political Spying Attempt behind the FHAPPI Campaign". securityaffairs.co. Retrieved 21 March 2017.
- Mrs. Smith (January 15, 2018). "Mirai Okiru: New DDoS botnet targets ARC-based IoT devices". CSO Online. Retrieved 15 January 2018.
- Mohit Kumar (January 15, 2018). "New Mirai Okiru Botnet targets devices running widely-used ARC Processors". Hacker News. Retrieved 15 January 2018.
- John Leyden (January 16, 2018). "New Mirai botnet species 'Okiru' hunts for ARC-based kit". The Register. Retrieved 16 January 2018.
- Francesco Bussoletti (February 11, 2019). "Cybercrime launched a mass credential harvesting process, leveraging an IoT botnet". www.difesaesicurezza.com. Retrieved 11 February 2019.