MalwareMustDie

MalwareMustDie, NPO^[1][2] is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog.^[3] They have a list^[4] of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.^[5]

MalwareMustDie

MalwareMustDie logo
Abbreviation	MMD
Formation	August 28, 2012; 12 years ago (2012-08-28)
Type	Nonprofit organization & NGO
Purpose	Constructive research & awareness to reduce malware
Headquarters	Japan, Germany, France, United States
Region	Global
Membership	< 100
Website	www.malwaremustdie.org

MalwareMustDie is also known for their efforts in original analysis for a new emerged malware or botnet, sharing of their found malware source code^[6] to the law enforcement and security industry, operations to dismantle several malicious infrastructure,^[7][8] technical analysis on specific malware's infection methods and reports for the cyber crime emerged toolkits.

Several notable internet threats that were first discovered and announced by MalwareMustDie are:

• Prison Locker^[9] (ransomware)
• Mayhem^[10][11] (Linux botnet)
• Kelihos botnet v2^[12][13]
• ZeusVM^[14]
• Darkleech botnet analysis^[15]
• KINS (Crime Toolkit)
• Cookie Bomb^[16] (malicious PHP traffic redirection)
• Mirai^{[17][18][19][20]}
• LuaBot^[21][22]
• NyaDrop^[23][24]
• NewAidra or IRCTelnet^[25][26][27]
• Torlus aka Gafgyt/Lizkebab/Bashdoor/Qbot/BASHLITE)^[28]
• LightAidra ^[29]
• PNScan^[30][31][32]
• STD Bot
• Kaiten^[33][34] botnets (Linux DDoS or malicious proxy botnet Linux malware)
• ChinaZ (China DDoS Trojan)
• Xor DDoS^[35][36][37] (China DDoS Trojan)
• IpTablesx^[38] (China DDoS Trojan)
• DDoSTF^[39] (China DDoS Trojan)
• DESDownloader^[40] (China DDoS Trojan)
• Cayosin DDoS botnet^[41][42][43]
• DDoSMan^[44][45][46] (China DDoS Trojan)
• AirDropBot DDoS botnet^[47][48][49]
• Mirai FBot DDoS botnet^[50][51][52]
• Kaiji IoT DDoS/bruter botnet^[53][54][55]

MalwareMustDie has also been active in analysis for client vector threat's vulnerability. For example, Adobe Flash CVE-2013-0634 (LadyBoyle SWF exploit)^[56][57] and other undisclosed Adobe vulnerabilities in 2014 have received Security Acknowledgments for Independent Security Researchers from Adobe.^[58] Another vulnerability researched by the team was reverse engineering a proof of concept for a backdoor case (CVE-2016-6564) of one brand of Android phone device that was later found to affect 2 billion devices.^[59]

Recent activity of the team still can be seen in several noted threat disclosures, for example, the "FHAPPI" state-sponsored malware attack,^[60] the finding of first ARC processor malware,^[61][62][63] and "Strudel" threat analysis (credential stealing scheme). ^[64] The team continues to post new Linux malware research on Twitter and their subreddit.

MalwareMustDie compares their mission to the Crusades, emphasizing the importance of fighting online threats out of a sense of moral duty. Many people have joined the group because they want to help the community by contributing to this effort.^[65]

References

1. Jorg Thoma (March 3, 2013). "Nachts nehmen wir Malware-Seiten hoch". Golem.de [de]. Retrieved 3 March 2013.
2. Darren Pauli (September 12, 2013). "The rise of the whitehats". IT News. Retrieved 12 September 2013.
3. "MalwareMustDie! · MMD Malware Research Blog". blog.malwaremustdie.org.
4. unixfreaxjp (November 22, 2016). "Linux Malware Research List Updated". MalwareMustDie. Retrieved 22 November 2016.
5. Emiliano Martinez (November 11, 2014). "virustotal += Detailed ELF information". Virus Total. Retrieved 11 November 2014.
6. Ram Kumar (June 4, 2013). "Ransomware, IRC Worm, Zeus, Botnets source codes shared in Germany Torrent". E Hacking News. Retrieved 4 June 2013.
7. Catalin Cimpanu (June 24, 2016). "Ukrainian Group May Be Behind New DELoader Malware". Softpedia. Retrieved 24 June 2016.
8. UnderNews Actu (July 27, 2013). "Malware Must Die : Operation Tango Down - sur des sites russes malveillants". undernews.fr. Retrieved 27 July 2013.
9. Dan Goodin (January 7, 2014). "Researchers warn of new, meaner ransomware with unbreakable crypto". Ars Technica. Retrieved 7 January 2014.
10. Ionut Ilascu (October 10, 2014). "Mayhem Botnet Relies on Shellshock Exploit to Expand". Softpedia. Retrieved 10 October 2014.
11. Michael Mimoso (October 9, 2014). "Shellshock Exploits Spreading Mayhem Botnet Malware". Threat Post. Retrieved 9 October 2014.
12. Michael Mimoso (August 28, 2013). "Kelihos Relying on CBL Blacklists to Evaluate New Bots". Threat Post. Retrieved 28 August 2013.
13. Eduard Kovacs (November 13, 2013). "Second Version of Hlux/Kelihos Botnet". Softpedia. Retrieved 13 November 2013.
14. Ionut Ilascu (July 6, 2015). "Infections with ZeusVM Banking Malware Expected to Spike As Building Kit Is Leaked". Softpedia. Retrieved 6 July 2015.
15. Info Security Magazine (April 5, 2013). "Darkleech infects 20,000 websites in just a few weeks". www.infosecurity-magazine.com. Retrieved 5 April 2013.
16. Brian Prince (August 19, 2013). "CookieBomb Attacks Compromise Legitimate Sites". www.securityweek.com. Retrieved 19 August 2013.
17. njccic (December 28, 2016). "Mirai Botnet". The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). Retrieved 28 December 2016.
18. Odisseus (September 5, 2016). "Linux/Mirai ELF, when malware is recycled could be still dangerous". www.securityaffairs.co. Retrieved 5 September 2016.
19. Allan Tan (December 12, 2014). "Bots-powered DDOS looms large over Asia's banks". www.enterpriseinnovation.net. Retrieved 12 December 2014.
20. Johannes B. Ullrich, Ph.D. (October 3, 2016). "The Short Life of a Vulnerable DVR Connected to the Internet". www.isc.sans.edu. Retrieved 3 October 2016.
21. Catalin Cimpanu (September 5, 2016). "LuaBot Is the First DDoS Malware Coded in Lua Targeting Linux Platforms". Softpedia. Retrieved 5 September 2016.
22. Catalin Cimpanu (September 17, 2016). "LuaBot Author Says His Malware Is "Not Harmful"". Softpedia. Retrieved 17 September 2016.
23. David Bisson (October 17, 2016). "NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware". Graham Cluley. Retrieved 17 October 2016.
24. Catalin Cimpanu (October 14, 2016). "A New Linux Trojan Called NyaDrop Threatens the IoT Landscape". Softpedia. Retrieved 14 October 2016.
25. Charlie Osborne (November 1, 2016). "Hackers release new malware into the wild for Mirai botnet successor". ZDNET. Retrieved 1 November 2016.
26. Ken Briodagh (November 1, 2016). "Security Blogger Identifies Next IoT Vulnerability, This Time on Linux OS". www.iotevolutionworld.com. Retrieved 1 November 2016.
27. John Leyden (October 31, 2016). "A successor to Mirai? Newly discovered malware aims to create fresh IoT botnet". The Register. Retrieved 31 October 2016.
28. Liam Tung (September 25, 2014). "First attacks using shellshock Bash bug discovered". ZDNet. Retrieved 25 September 2014.
29. John Leyden (September 9, 2014). "Use home networking kit? DDoS bot is BACK... and it has EVOLVED". The Register. Retrieved 9 September 2014.
30. Pierluigi Paganini (August 25, 2016). "Linux.PNScan Trojan is back to compromise routers and install backdoors". securityaffairs.co. Retrieved 25 August 2016.
31. SecurityWeek News (August 24, 2016). "Linux Trojan Brute Forces Routers to Install Backdoors". www.securityweek.com. Retrieved 24 August 2016.
32. Catalin Cimpanu (August 25, 2016). "PNScan Linux Trojan Resurfaces with New Attacks Targeting Routers in India". Softpedia. Retrieved 25 August 2016.
33. John Leyden (March 30, 2016). "Infosec miscreants are peddling malware that will KO your router". The Register. Retrieved 30 March 2016.
34. Steve Ragan (February 22, 2016). "Linux Mint hacked: Compromised data up for sale, ISO downloads backdoored (with Kaiten)". CSO Online. Retrieved 22 February 2016.
35. Ionut Ilascu (April 9, 2015). "Group Uses over 300,000 Unique Passwords in SSH Log-In Brute-Force Attacks". Softpedia. Retrieved 9 April 2015.
36. Lucian Constantin (February 6, 2015). "Sneaky Linux malware comes with sophisticated custom-built rootkit". PC World. Retrieved 6 February 2015.
37. Liam Tung (September 30, 2015). "Linux-powered botnet generates giant denial-of-service attacks". ZDNet. Retrieved 30 September 2015.
38. Jorg Thoma (September 4, 2014). "DDoS-Malware auf Linux-Servern entdeckt". Golem.de [de]. Retrieved 4 September 2014.
39. Catalin Cimpanu (January 6, 2016). "Windows and Linux Malware Linked to Chinese DDoS Tool". Softpedia. Retrieved 6 January 2016.
40. Emerging Threat (June 25, 2014). "Proofpoint Emerging Threat Daily Ruleset Update Summary 2015/06/25". Proofpoint. Retrieved 25 June 2015.
41. Pierluigi Paganini, Odisseus and Unixfreaxjp (February 9, 2019). "Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem". www.securityaffairs.co. Retrieved February 9, 2019.
42. Paul Scott (February 3, 2019). "Tragedy strikes! Cayosin Botnet combines Qbot and Mirai to cause Erradic behavior". perchsecurity.com. Retrieved February 3, 2019.
43. Curtis Franklin Jr. (February 4, 2019). "New Botnet Shows Evolution of Tech and Criminal Culture". www.darkreading.com. Retrieved February 4, 2019.
44. Pierluigi Paganini, Odisseus (April 2, 2019). "BREAKING: new update about DDoS'er Linux/DDoSMan ELF malware based on Elknot". www.securityaffairs.co. Retrieved April 2, 2019.
45. Cyware (April 1, 2019). "New Linux/DDosMan threat emerged from an evolution of the older Elknot". www.cyware.com. Retrieved April 1, 2019.
46. SOC Prime (April 1, 2019). "Chinese ELF Prepares New DDoS Attacks". www.socprime.com. Retrieved April 1, 2019.
47. Pierluigi Paganini (September 30, 2019). "Analysis of a new IoT malware dubbed Linux/AirDropBot". Security Affairs. Retrieved September 30, 2019.
48. Adm1n (October 10, 2019). "IoT Malware Linux/AirDropBot – What Found Out". October 10, 2019. Retrieved October 10, 2019.{{cite web}}: CS1 maint: numeric names: authors list (link)
49. MalBot (October 1, 2019). "Linux AirDropBot Samles". Malware News. Retrieved October 1, 2019.
50. Brittany Day (April 3, 2020). "Linux Malware: The Truth About This Growing Threat". Linux Security. Retrieved April 3, 2020.
51. Pierluigi Paganini (February 26, 2020). "Fbot re-emerged, the backstage". Security Affairs. Retrieved February 26, 2020.
52. Patrice Auffret (March 4, 2020). "Analyzing Mirai-FBot infected devices found by MalwareMustDie". ONYPHE - Your Internet SIEM. Retrieved March 4, 2020.
53. Silviu Stahie (May 7, 2020). "New Kaiji Botnet Malware Targets IoT, But 'New' Doesn't Mean 'Undetectable'". Security Boulevard. Retrieved May 7, 2020.
54. Carlton Peterson (May 6, 2020). "Researchers Find New Kaiji Botnet Targeting IoT, Linux Devices". Semi Conductors Industry. Retrieved May 7, 2020.
55. Catalin Cimpanu (May 5, 2020). "New Kaiji malware targets IoT devices via SSH brute-force attacks". ZDNet. Retrieved May 7, 2020.
56. Boris Ryutin, Juan Vazquaez (July 17, 2013). "Adobe Flash Player Regular Expression Heap Overflow CVE-2013-0634". Rapid7. Retrieved 17 July 2013.
57. WoW on Zataz.com (February 10, 2013). "Gondad Exploit Pack Add Flash CVE-2013-0634 Support". Eric Romang Blog at zataz.com. Retrieved 10 February 2013.
58. Adobe team (February 1, 2014). "Adobe.com Security Acknowledgments (2014)". Adobe.com. Retrieved 1 February 2014.
59. Jeremy Kirk (November 21, 2016). "More Dodgy Firmware Found on Android Devices". www.bankinfosecurity.com. Retrieved 21 November 2015.
60. Pierluigi Paganini (March 21, 2017). "Dirty Political Spying Attempt behind the FHAPPI Campaign". securityaffairs.co. Retrieved 21 March 2017.
61. Mrs. Smith (January 15, 2018). "Mirai Okiru: New DDoS botnet targets ARC-based IoT devices". CSO Online. Retrieved 15 January 2018.
62. Mohit Kumar (January 15, 2018). "New Mirai Okiru Botnet targets devices running widely-used ARC Processors". Hacker News. Retrieved 15 January 2018.
63. John Leyden (January 16, 2018). "New Mirai botnet species 'Okiru' hunts for ARC-based kit". The Register. Retrieved 16 January 2018.
64. Francesco Bussoletti (February 11, 2019). "Cybercrime launched a mass credential harvesting process, leveraging an IoT botnet". www.difesaesicurezza.com. Retrieved 11 February 2019.
65. Taylor, Laura (2017). "Fight Back Against Cybercrime". SSRN Electronic Journal. doi:10.2139/ssrn.3532785. ISSN 1556-5068.