A widespread cybercriminal campaign has seized control of over 25,000 Unix servers worldwide, reported ESET. Dubbed as “Operation Windigo”, this malicious campaign has been going on for years and uses a nexus of sophisticated malware components that are designed to hijack servers, infect the computers that visit them, and steal information.
ESET security researcher Marc-Étienne Léveillé says:
“Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control. Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements.”
Of course, it’s money
The purpose of Operation Windigo is to earn money through:
- Spam
- Infecting web users’ computers through drive-by downloads
- Redirecting web traffic to advertisement networks
Apart from sending spam emails, websites running on infected servers attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are served adverts for dating sites and iPhone owners are redirected to pornographic online content.
Does it mean it does not infect desktop Linux? I cannot say and report mentions nothing about it.
Inside Windigo
ESET published a detailed report with the team’s investigations and malware analysis along with guidance to find if a system is infected and instructions to recover it. As per the report, Windigo Operation consists of the following malware:
- Linux/Ebury: runs mostly on Linux servers. It provides a root backdoor shell and has the ability to steal SSH credentials.
- Linux/Cdorked: runs mostly on Linux web servers. It provides a backdoor shell and distributes Windows malware to end users via drive-by downloads.
- Linux/Onimiki: runs on Linux DNS servers. It resolves domain names with a particular pattern to any IP address, without the need to change any server-side configuration.
- Perl/Calfbot: runs on most Perl supported platforms. It is a lightweight spam bot written in Perl.
- Win32/Boaxxe.G: a click fraud malware, and Win32/Glubteta.M, a generic proxy, run on Windows computers. These are the two threats distributed via drive-by download.
Check if your server is a victim
If you are a sys admin, it could be worth checking if your server is a Windingo victim. ETS provides the following command to check if a system is infected with any of the Windigo malware:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”
In case your system is infected, you are advised to wipe affected computers and reinstall the operating system and software. Hard luck but it is to ensure safety.
Eternal vigilance is the price of liberty. Applies here too
this just sounds fake to me.
Security companies are known to blow things out of proportion to scare users in to buying their product. Can’t say if it is the same case here but apparently the hacking of Kernel.org two years back was a part of it.
You need to explain also how do we know if the system is infected after issuing the piped ssh-grep-echo command. The output of the command is the only and unique diagnosis?
The G option will be present with Ebury. Which means it will be present in compromised systems. If you don’t see it, perhaps your server is secured :)
You can join the discussion on the ESET blog: http://www.welivesecurity.com/2014/03/18/attack-unix-operation-windigo/
haha Excellent start!!
I don’t have -G option in ssh
Typical Linux hacker explanation, with blind self-importance: that’s the command, that’s all you need.