MalwareMustDie

{{Short description|Whitehat security research workgroup}}

{{Infobox organization

| name = MalwareMustDie

| image = File:MalwareMustDie,NPO Official Logo.jpg

| size =

| alt =

| caption = MalwareMustDie logo

| abbreviation = MMD

| formation = {{start date and age|2012|08|28}}

| type = {{plain list|

• Nonprofit organization & NGO

}}

| purpose = Security research and awareness

| region = Global

| headquarters = Japan, Germany, France, United States

| membership = < 100

| website = {{URL|https://www.malwaremustdie.org/}}

}}

MalwareMustDie (MMD), NPO{{cite web | url=https://www.golem.de/news/hacker-gegen-malware-nachts-nehmen-wir-malware-seiten-hoch-1303-98327.html | title=Nachts nehmen wir Malware-Seiten hoch | publisher={{ill|Golem.de|de}} | date=March 3, 2013 | accessdate=3 March 2013 | author=Jorg Thoma }}{{cite web | url=https://www.itnews.com.au/news/the-rise-of-the-white-hat-vigilante-356543/page0 | title=The rise of the whitehats | publisher=IT News | date=September 12, 2013 | accessdate=12 September 2013 | author= Darren Pauli }} is a white hat hacking research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog.{{cite web|url=http://blog.malwaremustdie.org/|title=MalwareMustDie! · MMD Malware Research Blog|website=blog.malwaremustdie.org}} They have a list{{cite web | url=https://blog.malwaremustdie.org/p/linux-malware-research-list-updated.html | title=Linux Malware Research List Updated | publisher=MalwareMustDie | date=November 22, 2016 | accessdate=22 November 2016 | author=unixfreaxjp}} of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.{{cite web | url=http://blog.virustotal.com/2014/11/virustotal-detailed-elf-information.html?spref=tw | title=virustotal += Detailed ELF information | publisher=Virus Total | date=November 11, 2014 | accessdate=11 November 2014 | author=Emiliano Martinez }}

MalwareMustDie is also known for their efforts in original analysis for a new emerged malware or botnet, sharing of their found malware source code{{cite web | url=http://www.ehackingnews.com/2013/06/ransomware-irc-worm-zeus-botnets-source.html | title=Ransomware, IRC Worm, Zeus, Botnets source codes shared in Germany Torrent | publisher=E Hacking News | date=June 4, 2013 | accessdate=4 June 2013 | author=Ram Kumar}} to the law enforcement and security industry, operations to dismantle several malicious infrastructure,{{cite web | url=http://news.softpedia.com/news/ukrainian-group-may-be-behind-new-deloader-malware-505608.shtml | title=Ukrainian Group May Be Behind New DELoader Malware | publisher=Softpedia | date=June 24, 2016 | accessdate=24 June 2016 | author=Catalin Cimpanu }}{{cite web | url=https://www.undernews.fr/malwares-virus-antivirus/malware-must-die-operation-tango-down-sur-des-sites-russes-malveillants.html | title=Malware Must Die : Operation Tango Down - sur des sites russes malveillants | publisher=undernews.fr | date=July 27, 2013 | accessdate=27 July 2013 | author= UnderNews Actu }} technical analysis on specific malware's infection methods and reports for the cyber crime emerged toolkits.

Several notable internet threats that were first discovered and announced by MalwareMustDie are:

• Prison Locker{{cite web | url=https://arstechnica.com/security/2014/01/researchers-warn-of-new-meaner-ransomware-with-unbreakable-crypto/ | title=Researchers warn of new, meaner ransomware with unbreakable crypto | publisher=Ars Technica | date=January 7, 2014 | accessdate=7 January 2014 | author=Dan Goodin }} (ransomware)
• Mayhem{{cite web | url=http://news.softpedia.com/news/Mayhem-Botnet-Relies-On-Shellshock-Exploit-to-Expand-461770.shtml | title=Mayhem Botnet Relies on Shellshock Exploit to Expand | publisher=Softpedia | date=October 10, 2014 | accessdate=10 October 2014 | author=Ionut Ilascu }}{{cite web | url=https://threatpost.com/shellshock-exploits-spreading-mayhem-botnet-malware/108793/ | title= Shellshock Exploits Spreading Mayhem Botnet Malware | publisher=Threat Post | date=October 9, 2014 | accessdate=9 October 2014 | author=Michael Mimoso }} (Linux botnet)
• Kelihos botnet v2{{cite web | url=https://threatpost.com/kelihos-relying-on-cbl-blacklists-to-evalute-new-bots/102127/ | title=Kelihos Relying on CBL Blacklists to Evaluate New Bots | publisher=Threat Post | date=August 28, 2013 | accessdate=28 August 2013 | author=Michael Mimoso }}{{cite web | url=http://news.softpedia.com/news/Second-Version-of-Hlux-Kelihos-Botnet-Getting-Smaller-Kaspersky-Says-399824.shtml | title=Second Version of Hlux/Kelihos Botnet | publisher=Softpedia | date=November 13, 2013 | accessdate=13 November 2013 | author= Eduard Kovacs }}
• ZeusVM{{cite web | url=http://news.softpedia.com/news/infections-with-zeusvm-banking-malware-expected-to-spike-as-building-kit-is-leaked-486149.shtml | title=Infections with ZeusVM Banking Malware Expected to Spike As Building Kit Is Leaked | publisher=Softpedia | date=July 6, 2015 | accessdate=6 July 2015 | author=Ionut Ilascu}}
• Darkleech botnet analysis{{cite web | url=https://www.infosecurity-magazine.com/news/darkleech-infects-20000-websites-in-just-a-few/ | title=Darkleech infects 20,000 websites in just a few weeks | website=www.infosecurity-magazine.com | date=April 5, 2013 | accessdate=5 April 2013 | author= Info Security Magazine }}
• KINS (Crime Toolkit)
• Cookie Bomb{{cite web | url=http://www.securityweek.com/cookiebomb-attacks-compromise-legitimate-sites | title=CookieBomb Attacks Compromise Legitimate Sites | website=www.securityweek.com | date=August 19, 2013 | accessdate=19 August 2013 | author= Brian Prince }} (malicious PHP traffic redirection)
• Mirai{{cite web | url=https://www.cyber.nj.gov/threat-profiles/botnet-variants/mirai-botnet | title=Mirai Botnet | publisher=The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) | date=December 28, 2016 | accessdate=28 December 2016 | author=njccic }}{{cite web | url=http://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html | title=Linux/Mirai ELF, when malware is recycled could be still dangerous | website=www.securityaffairs.co | date=September 5, 2016 | accessdate=5 September 2016 | author=Odisseus}}{{cite web | url=http://www.enterpriseinnovation.net/article/bots-powered-ddos-looms-large-over-asias-banks-1823173251 | title=Bots-powered DDOS looms large over Asia’s banks | website=www.enterpriseinnovation.net | date=December 12, 2014 | accessdate=12 December 2014 | author=Allan Tan}}{{cite web | url=https://isc.sans.edu/forums/diary/The+Short+Life+of+a+Vulnerable+DVR+Connected+to+the+Internet/21543/ | title=The Short Life of a Vulnerable DVR Connected to the Internet | publisher=www.isc.sans.edu | date=October 3, 2016 | accessdate=3 October 2016 | author=Johannes B. Ullrich, Ph.D.}}
• LuaBot{{cite web | url=http://news.softpedia.com/news/luabot-is-the-first-botnet-malware-coded-in-lua-targeting-linux-platforms-507978.shtml | title=LuaBot Is the First DDoS Malware Coded in Lua Targeting Linux Platforms | publisher=Softpedia | date=September 5, 2016 | accessdate=5 September 2016 | author=Catalin Cimpanu }}{{cite web | url=http://news.softpedia.com/news/luabot-author-says-his-malware-is-not-harmful-508397.shtml | title=LuaBot Author Says His Malware Is "Not Harmful" | publisher=Softpedia | date=September 17, 2016 | accessdate=17 September 2016 | author=Catalin Cimpanu}}
• NyaDrop{{cite web | url=https://www.grahamcluley.com/nyadrop-exploiting-iot-insecurity-infect-devices-malware/ | title=NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware | publisher=Graham Cluley | date=October 17, 2016 | accessdate=17 October 2016 | author=David Bisson}}{{cite web | url=http://news.softpedia.com/news/a-new-linux-trojan-called-nyadrop-threatens-the-iot-landscape-509278.shtml | title=A New Linux Trojan Called NyaDrop Threatens the IoT Landscape | publisher=Softpedia | date=October 14, 2016 | accessdate=14 October 2016 | author=Catalin Cimpanu }}
• NewAidra or IRCTelnet{{cite web | url=https://www.zdnet.com/article/hackers-release-new-malware-into-the-wild-for-mirai-botnet-successor/ | title=Hackers release new malware into the wild for Mirai botnet successor | publisher=ZDNET | date=November 1, 2016 | access-date=1 November 2016 | author=Charlie Osborne }}{{cite web | url=http://www.iotevolutionworld.com/iot/articles/426650-security-blogger-identifies-next-iot-vulnerability-this-time.htm | title=Security Blogger Identifies Next IoT Vulnerability, This Time on Linux OS | website=www.iotevolutionworld.com | date=November 1, 2016 | accessdate=1 November 2016 | author=Ken Briodagh}}{{cite web | url=https://www.theregister.co.uk/2016/10/31/iot_botnet_wannabe/ | title=A successor to Mirai? Newly discovered malware aims to create fresh IoT botnet | publisher=The Register | date=October 31, 2016 | accessdate=31 October 2016 | author=John Leyden}}
• Torlus aka Gafgyt/Lizkebab/Bashdoor/Qbot/BASHLITE){{cite web | url=https://www.zdnet.com/article/first-attacks-using-shellshock-bash-bug-discovered/ | title=First attacks using shellshock Bash bug discovered | publisher=ZDNet | date=September 25, 2014 | access-date=25 September 2014 | author=Liam Tung }}
• LightAidra {{cite web | url=https://www.theregister.co.uk/2014/09/09/linux_modem_bot/ | title=Use home networking kit? DDoS bot is BACK... and it has EVOLVED | publisher=The Register | date=September 9, 2014 | accessdate=9 September 2014 | author=John Leyden }}
• PNScan{{cite web | url=http://securityaffairs.co/wordpress/50607/malware/linux-pnscan-return.html | title=Linux.PNScan Trojan is back to compromise routers and install backdoors | website=securityaffairs.co | date=August 25, 2016 | accessdate=25 August 2016 | author=Pierluigi Paganini }}{{cite web | url=http://www.securityweek.com/linux-trojan-brute-forces-routers-install-backdoors | title=Linux Trojan Brute Forces Routers to Install Backdoors | website=www.securityweek.com | date=August 24, 2016 | accessdate=24 August 2016 | author= SecurityWeek News }}{{cite web | url=http://news.softpedia.com/news/pnscan-linux-trojan-resurfaces-with-new-attacks-targeting-routers-in-india-507617.shtml | title=PNScan Linux Trojan Resurfaces with New Attacks Targeting Routers in India | publisher=Softpedia | date=August 25, 2016 | accessdate=25 August 2016 | author= Catalin Cimpanu }}
• STD Bot
• Kaiten{{cite web | url=https://www.theregister.co.uk/2016/03/30/router_infecting_malware_gets_remastered/ | title=Infosec miscreants are peddling malware that will KO your router | publisher=The Register | date=March 30, 2016 | accessdate=30 March 2016 | author= John Leyden }}{{cite web | url=http://www.csoonline.com/article/3035743/security/linux-mint-hacked-compromised-data-up-for-sale-iso-downloads-backdoored.html | title=Linux Mint hacked: Compromised data up for sale, ISO downloads backdoored (with Kaiten) | publisher=CSO Online | date=February 22, 2016 | accessdate=22 February 2016 | author=Steve Ragan}} botnets (Linux DDoS or malicious proxy botnet Linux malware)
• ChinaZ (China DDoS Trojan)
• Xor DDoS{{cite web | url=http://news.softpedia.com/news/Group-Uses-Over-300-000-Unique-Passwords-in-SSH-Log-In-Brute-Force-Attacks-478094.shtml | title= Group Uses over 300,000 Unique Passwords in SSH Log-In Brute-Force Attacks | publisher=Softpedia | date=April 9, 2015 | accessdate=9 April 2015 | author=Ionut Ilascu }}{{cite web | url=http://www.pcworld.com/article/2881152/ddos-malware-for-linux-systems-comes-with-sophisticated-custombuilt-rootkit.html | title=Sneaky Linux malware comes with sophisticated custom-built rootkit | publisher=PC World | date=February 6, 2015 | accessdate=6 February 2015 | author=Lucian Constantin }}{{cite web | url=https://www.zdnet.com/article/linux-powered-botnet-generates-giant-denial-of-service-attacks/ | title=Linux-powered botnet generates giant denial-of-service attacks | publisher=ZDNet | date=September 30, 2015 | access-date=30 September 2015 | author=Liam Tung }} (China DDoS Trojan)
• IpTablesx{{cite web | url=https://www.golem.de/news/botnetze-ddos-malware-auf-linux-servern-entdeckt-1409-109028.html | title=DDoS-Malware auf Linux-Servern entdeckt | publisher={{ill|Golem.de|de}} | date=September 4, 2014 | accessdate=4 September 2014 | author= Jorg Thoma }} (China DDoS Trojan)
• DDoSTF{{cite web | url=http://news.softpedia.com/news/windows-and-linux-malware-linked-to-chinese-ddos-tool-498554.shtml | title=Windows and Linux Malware Linked to Chinese DDoS Tool | publisher=Softpedia | date=January 6, 2016 | accessdate=6 January 2016 | author=Catalin Cimpanu}} (China DDoS Trojan)
• DESDownloader{{cite web | url=https://www.proofpoint.com/us/daily-ruleset-update-summary-2015-06-25 | title=Proofpoint Emerging Threat Daily Ruleset Update Summary 2015/06/25 | publisher=Proofpoint | date=June 25, 2014 | accessdate=25 June 2015 | author=Emerging Threat}} (China DDoS Trojan)
• Cayosin DDoS botnet{{cite web | url=https://securityaffairs.co/wordpress/80858/cyber-crime/cayosin-botnet-mmd.html | title=Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem | website=www.securityaffairs.co | date=February 9, 2019 | accessdate=February 9, 2019 | author=Pierluigi Paganini, Odisseus and Unixfreaxjp}}{{cite web | url=https://perchsecurity.com/perch-news/threat-report-sunday-february-3rd-2019/ | title=Tragedy strikes! Cayosin Botnet combines Qbot and Mirai to cause Erradic behavior | website=perchsecurity.com | date=February 3, 2019 | accessdate=February 3, 2019 | author=Paul Scott}}{{cite web | url=https://www.darkreading.com/attacks-breaches/new-botnet-shows-evolution-of-tech-and-criminal-culture/d/d-id/1333792 | title=New Botnet Shows Evolution of Tech and Criminal Culture | website=www.darkreading.com | date=February 4, 2019 | accessdate=February 4, 2019 | author=Curtis Franklin Jr.}}
• DDoSMan{{cite web | url=https://securityaffairs.co/wordpress/83157/malware/new-linux-ddosman-threat-emerged-from-an-evolution-of-the-older-elknot.html | title=BREAKING: new update about DDoS’er Linux/DDoSMan ELF malware based on Elknot | publisher=www.securityaffairs.co | date=April 2, 2019 | accessdate=April 2, 2019 | author=Pierluigi Paganini, Odisseus }}{{cite web | url=https://cyware.com/news/new-linuxddosman-threat-emerged-from-an-evolution-of-the-older-elknot-2b2f7fe3 | title=New Linux/DDosMan threat emerged from an evolution of the older Elknot | website=www.cyware.com | date=April 1, 2019 | accessdate=April 1, 2019 | author=Cyware}}{{cite web | url=https://socprime.com/en/news/chinese-elf-prepares-new-ddos-attacks/ | title=Chinese ELF Prepares New DDoS Attacks | website=www.socprime.com | date=April 1, 2019 | accessdate=April 1, 2019 | author=SOC Prime}} (China DDoS Trojan)
• AirDropBot DDoS botnet{{cite web | url=https://securityaffairs.co/wordpress/91905/malware/linux-airdropbot-malware.html | title=Analysis of a new IoT malware dubbed Linux/AirDropBot | publisher=Security Affairs | date=September 30, 2019 | accessdate=September 30, 2019 | author=Pierluigi Paganini }}{{cite web | url=https://www.thelinuxmall.com/malwaremustdie-crack-at-iot-linux-airdropbot/ | title=IoT Malware Linux/AirDropBot – What Found Out | publisher=October 10, 2019 | date=October 10, 2019 | accessdate=October 10, 2019 | author=Adm1n }}{{cite web | url=https://malware.news/t/linux-airdropbot-samples/33585 | title=Linux AirDropBot Samles | publisher=Malware News | date=October 1, 2019 | accessdate=October 1, 2019 | author=MalBot }}
• Mirai FBot DDoS botnet{{cite web | url=https://linuxsecurity.com/features/features/linux-malware-the-truth-about-this-growing-threat | title=Linux Malware: The Truth About This Growing Threat | publisher=Linux Security | date=April 3, 2020 | accessdate=April 3, 2020 | author=Brittany Day }}{{cite web | url=https://securityaffairs.co/wordpress/98479/malware/fbot-re-emerged.html | title=Fbot re-emerged, the backstage | publisher=Security Affairs | date=February 26, 2020 | accessdate=February 26, 2020 | author=Pierluigi Paganini }}{{cite web | url=https://www.onyphe.io/blog/analyzing-mirai-fbot-infected-devices-found-by-malwaremustdie/ | title=Analyzing Mirai-FBot infected devices found by MalwareMustDie | publisher=ONYPHE - Your Internet SIEM | date=March 4, 2020 | accessdate=March 4, 2020 | author=Patrice Auffret }}
• Kaiji IoT DDoS/bruter botnet{{cite web | url=https://securityboulevard.com/2020/05/new-kaiji-botnet-malware-targets-iot-but-new-doesnt-mean-undetectable/ | title=New Kaiji Botnet Malware Targets IoT, But 'New' Doesn't Mean 'Undetectable' | publisher=Security Boulevard | date= May 7, 2020 | accessdate= May 7, 2020 | author=Silviu Stahie }}{{cite web | url=https://semiconductorsindustry.com/2020/05/06/researchers-find-new-kaiji-botnet-targeting-iot-linux-devices/910/ | title=Researchers Find New Kaiji Botnet Targeting IoT, Linux Devices | publisher=Semi Conductors Industry | date=May 6, 2020 | accessdate=May 7, 2020 | author=Carlton Peterson }}{{cite web | url=https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/ | title=New Kaiji malware targets IoT devices via SSH brute-force attacks | publisher=ZDNet | date=May 5, 2020 | accessdate=May 7, 2020 | author= Catalin Cimpanu }}

MalwareMustDie has also been active in analysis for client vector threat's vulnerability. For example, Adobe Flash {{CVE|2013-0634}} (LadyBoyle SWF exploit){{cite web | url=https://www.rapid7.com/db/modules/exploit/windows/browser/adobe_flash_regex_value | title=Adobe Flash Player Regular Expression Heap Overflow CVE-2013-0634 | publisher=Rapid7 | date=July 17, 2013 | accessdate=17 July 2013 | author= Boris Ryutin, Juan Vazquaez }}{{cite web | url=http://eromang.zataz.com/2013/02/26/gong-da-gondad-exploit-pack-add-flash-cve-2013-0634-support/ | title=Gondad Exploit Pack Add Flash CVE-2013-0634 Support | publisher=Eric Romang Blog at zataz.com | date=February 10, 2013 | accessdate=10 February 2013 | author= WoW on Zataz.com }} and other undisclosed Adobe vulnerabilities in 2014 have received Security Acknowledgments for Independent Security Researchers from Adobe.{{cite web | url=https://helpx.adobe.com/security/acknowledgements.html?t1 | title=Adobe.com Security Acknowledgments (2014) | publisher=Adobe.com | date=February 1, 2014 | accessdate=1 February 2014 | author=Adobe team}} Another vulnerability researched by the team was reverse engineering a proof of concept for a backdoor case ({{CVE|2016-6564}}) of one brand of Android phone device that was later found to affect 2 billion devices.{{cite web | url=http://www.bankinfosecurity.com/blogs/more-dodgy-firmware-found-on-android-devices-p-2325 | title=More Dodgy Firmware Found on Android Devices | website=www.bankinfosecurity.com | date=November 21, 2016 | accessdate=21 November 2015 | author=Jeremy Kirk}}

Recent activity of the team still can be seen in several noted threat disclosures, for example, the "FHAPPI" state-sponsored malware attack,{{cite web | url=https://securityaffairs.co/wordpress/57309/apt/fhappi-campaign.html | title=Dirty Political Spying Attempt behind the FHAPPI Campaign | website=securityaffairs.co | date=March 21, 2017 | accessdate=21 March 2017 | author= Pierluigi Paganini }} the finding of first ARC processor malware,{{cite web | url=https://www.csoonline.com/article/3247794/mirai-okiru-new-ddos-botnet-targets-arc-based-iot-devices.html | title=Mirai Okiru: New DDoS botnet targets ARC-based IoT devices | publisher=CSO Online | date=January 15, 2018 | accessdate=15 January 2018 | author= Mrs. Smith }}{{cite web | url=https://thehackernews.com/2018/01/mirai-okiru-arc-botnet.html | title=New Mirai Okiru Botnet targets devices running widely-used ARC Processors | publisher=Hacker News | date=January 15, 2018 | accessdate=15 January 2018 | author= Mohit Kumar }}{{cite web | url=https://www.theregister.co.uk/2018/01/16/arc_iot_botnet_malware/ | title=New Mirai botnet species 'Okiru' hunts for ARC-based kit | publisher=The Register | date=January 16, 2018 | accessdate=16 January 2018 | author= John Leyden }} and "Strudel" threat analysis (credential stealing scheme). {{cite web | url=https://www.difesaesicurezza.com/en/cyber-en/cybercrime-launched-a-mass-credential-harvesting-process-leveraging-an-iot-botnet/ | title=Cybercrime launched a mass credential harvesting process, leveraging an IoT botnet | website=www.difesaesicurezza.com | date=February 11, 2019 | accessdate=11 February 2019 | author= Francesco Bussoletti }} The team continues to post new Linux malware research on Twitter and their subreddit.

MalwareMustDie compares their mission to the Crusades, emphasizing the importance of fighting online threats out of a sense of moral duty. Many people have joined the group because they want to help the community by contributing to this effort.{{Cite journal |last=Taylor |first=Laura |date=2017 |title=Fight Back Against Cybercrime |url=http://dx.doi.org/10.2139/ssrn.3532785 |journal=SSRN Electronic Journal |doi=10.2139/ssrn.3532785 |issn=1556-5068|url-access=subscription }}