OPERATION WINDIGO: Malware Used To Attack Over 500,000 Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan

WINDIGO_SM_Picture

Security researchers at ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing as well as other agencies, have uncovered a widespread cybercriminal campaign that has seized control of over 25,000 Unix servers worldwide.

The attack, which has been dubbed “Operation Windigo” by security experts, has resulted in infected servers sending out millions of spam emails. Its complex knot of sophisticated malware components are designed to hijack servers, infect the computers that visit them, and steal information. Victims of “Operation Windigo” have included cPanel and kernel.org.

ESET’s security research team, which uncovered Windigo, today published a detailed technical paper, presenting the findings of the team’s investigations and malware analysis. The paper also provides guidance on how to find out if your systems are affected and instructions for removing the malicious code. Download ESET’s detailed technical paper about “Operation Windigo”

OPERATION WINDIGO: Gathering Strength For Over Three Years

While some experts have spotted elements of the Windigo cybercriminal campaign, the sheer size and complexity of the operation has remained largely unrealised by the security community.

“Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control,” said ESET security researcher Marc-Étienne Léveillé.  “Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk.  Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements.”

Interestingly, although Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content.

An Appeal To Sysadmins To Take Action Against Windigo

Over 60% of the world’s websites are running on Linux servers, and ESET researchers are calling on webmasters and system administrators to check their systems to see if they have been compromised.

“Webmasters and IT staff already have a lot of headaches and things on their mind, so we hate to add to their workload – but this is important.  Everyone wants to be a good net citizen, and this is your chance to play your part and help protect other internet users,” says Léveillé.  “The last thing anyone should want is to be part of the problem, adding to the spread of malware and spam.  A few minutes can make the difference, and ensure you are part of the solution.”

How To Tell If Your Server Has Fallen Foul Of Windigo

ESET researchers, who named Windigo after a mythical creature from Algonquian Native American folklore because of its cannibalistic nature, are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

Tough Medicine For Windigo Victims

“The Ebury backdoor deployed by the Windigo cybercrime operation does not exploit a vulnerability in Linux or OpenSSH,” continued Léveillé. “Instead it is manually installed by a malicious attacker. The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment.”

If sysadmins discover their systems are infected, they are advised to wipe affected computers and reinstall the operating system and software.  It is essential that fresh passwords and private keys are used, as the existing credentials must be considered compromised.

For a higher level of protection in future, technology such as two-factor authentication should be considered.

“We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks,” explains Léveillé.  “Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems – potentially putting more internet users in the firing line.”

All computer users are reminded that they should never reuse or choose easy-to-crack passwords.

Further Information

ESET has published a detailed investigation into the “Operation Windigo” cybercrime campaign, and the various malware components which make up the threat. To download the full report, please visit ESET’s We Live Security blog.  To follow the developing story on Facebook, Google+ or Twitter, please use hashtag #windigo

20 Responses to OPERATION WINDIGO: Malware Used To Attack Over 500,000 Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan

  1. Pingback: Ebury-Rootkit: Zombie-Server greifen täglich eine halbe Million Rechner an | HZM Webhosting & EDV - Service

  2. Pingback: Thousands of Linux servers hijacked by Operation Windigo

  3. Pingback: Unix/Linux Malware Found Infecting Over 25,000 Servers | Eset | Geekz For You

  4. Pingback: Researchers Uncover Attack Campaign Leveraging 25,000 Unix Servers | Tech Tips

  5. Pingback: В результате атаки Windigo вредоносным ПО поражены более 25 тысяч Linux и UNIX серверов | AllUNIX.ru — Всероссийский портал о UNIX-системах

  6. Pingback: Over 10000 Unix Servers Infected With Trojan, 500,000 Computers At Risk Daily

  7. Pingback: Windigo: pericolo da Linux? No, dai sistemisti! | TUXJournal.net

  8. Pingback: How to clean Ebury SSH Rootkit | How To Do It Yourself

  9. Pingback: แจ้งเตือนปฏิบัติการโจมตีด้วยมัลแวร์ WINDIGO ติดคอมพิวเตอร์ในแต่ละวันกว่าครึ่งล้าน | foejo

  10. Pingback: แจ้งเตือนปฏิบัติการโจมตีด้วยมัลแวร์ WINDIGO ติดคอมพิวเตอร์ในแต่ละวันกว่าครึ่งล้าน

  11. Dric64 says:

    what does parameter -G do ? I don’t find it in the man ssh. Thanks.

    • Dric64 says:

      OK I think I understood : if ssh -G returns something different than “unknown command” ou “illegal instruction”, the system is corrupted. Right ?

  12. Pingback: OPERATION WINDIGO: Malware Used To Attack Over 500,000 Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan « TCAT Shelbyville - Technical Blog

  13. Tremt says:

    That command is giving out false positives. My server has not sent out an email in over two weeks, and it is the ones I have sent out.

  14. Pingback: ITrig

  15. Pingback: Operation Windingo finds Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan | ESET | Backfill for 'Note to Self'

  16. Pingback: Why you shouldn’t worry about 4/8/14 | KeenCrow

  17. Pingback: สำนักข่าวWiFi (WiFi News)แจ้งเตือนปฏิบัติการโจมตีด้วยมัลแวร์ WINDIGO ติดคอมพิวเตอร์ในแต่ละวันกว่าครึ่

  18. Pingback: 如何檢測系統是否有被植入 Windigo - Tsung's Blog

  19. Pingback: Stop Spam Immediately! | Business Information Technology Services and Support

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 72 other followers

%d bloggers like this: