Operation Windigo: Linux server-side malware campaign exposed

Mar 19, 2014 by Nancy Owano weblog

(Phys.org) —Security researchers announced Tuesday a multi-year cybercriminal campaign called Windigo in which a malicious group compromised thousands of Linux and Unix servers. Once infected, victims' systems were used to steal credentials, redirect web traffic to malicious content and send millions of spam messages per day.

The security solutions company ESET said that Windigo, while largely unnoticed by the security community, has been in operation for more than two and a half years. Pierre-Marc Bureau, security intelligence program manager at ESET, said Windigo currently has 10,000 servers under its control. "This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power and memory." Exploring this campaign, the ESET security research team collaborated with CERT-Bund, the Swedish National Infrastructure for Computing and other agencies, observing that, once infected, victims' systems are used to redirect web traffic to and send spam.

With thousands of Linux and Unix servers compromised, the Windigo operation is recognized as a large-scale effort. Its purpose seems to be monetary profit, the team said. The main components of the Windigo operation are an OpenSSH backdoor, a web redirection module and a spam-sending program. Servers located throughout the U.S., Germany, France and the UK are among those infected

A detailed report by the ESET team was published on Tuesday, titled Operation Windigo, and the report is described as a "vivisection" of a Linux server-side campaign of malware. This operation. ongoing since 2011, affected servers and companies and organizations. Among those who fell victim included the Linux Foundation. The ESNET team said the Windigo operation does not leverage any new vulnerability against Linux or Unix systems. Known systemic weaknesses were exploited by the malicious actors in order to build and maintain their botnet.

Among the team's key findings: Malicious modules used in Operation Windigo are designed to be portable. The spam-sending module has been seen running on all kinds of operating systems while the SSH backdoor has been witnessed both on Linux and FreeBSD servers. More than 25,000 unique servers have been compromised in the last two years. The quality of the various malware pieces is high, with stealthy, portable, sound cryptography (session keys and nonces) and shows a deep knowledge of the Linux ecosystem.

ESET researchers are advising webmasters and system administrators on what actions may be taken if a compromise is discovered,. "If IT administrators discover their systems are infected, they are advised to wipe affected computers and reinstall the operating system and software. For a higher level of protection in the future, technology such as two-factor authentication should be considered."

The report's conclusion also talks about the issue of password authentication. "We conclude that password-authentication on servers should be a thing of the past." The team stated that "the game has changed regarding the management of servers on the Internet. Password-based login to should be a thing of the past. One should seriously consider two-factor authentication or, at least, a safe use of SSH keys."

The company has global headquarters in Bratislava (Slovakia), with malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow, Montreal, and Moscow and a partner network.

Explore further: IBM to invest $1b in Linux, open-source

More information: www.welivesecurity.com/wp-cont… peration_windigo.pdf

add to favorites email to friend print save as pdf

Related Stories

IBM to invest $1b in Linux, open-source

Sep 17, 2013

IBM said Tuesday it would invest $1 billion in new Linux and open source technologies for its servers in a bid to boost efficiency for big data and cloud computing.

Researchers zap huge global spam 'botnet'

Jul 19, 2012

A huge global 'botnet' responsible for sending out millions of spam messages each day has been shut down by a collaborative effort from security experts in the US, Britain and Russia, researchers said.

Adobe Flash Player updates confront zero-day exploit

Feb 21, 2014

(Phys.org) —An Adobe Flash exploit has targeted three sites. Adobe Systems on Thursday announced knowledge of the exploit and what steps to take. The company assigned the CVE identifier CVE-2014-0502 to ...

Recommended for you

US cyber-warriors battling Islamic State on Twitter

22 hours ago

The United States has launched a social media offensive against the Islamic State and Al-Qaeda, setting out to win the war of ideas by ridiculing the militants with a mixture of blunt language and sarcasm.

What metadata does the government want about you?

Aug 28, 2014

With the leaking of a discussion paper on telecommunications data retention, we are at last starting to get some clarity as to just what metadata the Abbott government is likely to ask telecommunications ...

To deter cyberattacks, build a public-private partnership

Aug 25, 2014

Cyberattacks loom as an increasingly dire threat to privacy, national security and the global economy, and the best way to blunt their impact may be a public-private partnership between government and business, ...

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

Howhot
1 / 5 (1) Mar 19, 2014
10,000 is just chump change compared to the 100s of millions of infected Windows boxes live on the internet right now.

gopher65
not rated yet Mar 20, 2014
10,000 is just chump change compared to the 100s of millions of infected Windows boxes live on the internet right now.

If you look at the ratio of infected to total, it's in the same ballpark as windows.
alfie_null
not rated yet Mar 20, 2014
It's not like we haven't been lectured on potential vulnerabilities in Linux. On the one hand, its open nature does make it more of a challenge for infections to hide themselves. On the other hand, perhaps hubris has make caused people to look less astutely.
alfie_null
not rated yet Mar 20, 2014
It's not like we haven't been lectured on potential vulnerabilities in Linux. On the one hand, its open nature does make it more of a challenge for infections to hide themselves. On the other hand, perhaps hubris has make caused people to look less astutely.
Eikka
not rated yet Mar 20, 2014
On the one hand, its open nature does make it more of a challenge for infections to hide themselves. On the other hand, perhaps hubris has make caused people to look less astutely.


Most system administrators are just barely competent enough to run their systems. It's not a matter of looking - it's a matter of seeing.

The argument that open source software is more secure because it is open is like posting the wiring diagram of your house security system on your front door and trusting that random people who see it will point out the flaws to you rather than exploiting them to break into your home.

If your security model is dependent on the good guys being smarter and faster than the bad guys - for free - you have no security.
cabhanlistis
5 / 5 (1) Mar 20, 2014
The argument that open source software is more secure because it is open is like posting the wiring diagram of your house security system on your front door and trusting that random people who see it will point out the flaws to you rather than exploiting them to break into your home.

That appears off to me. In this case, you have a wiring diagram that many thousands of people see over many years and where flaws are found can be fixed quickly for nothing, or by yourself if you're handy enough.

A proprietary, closed system can still be exploited, but only the criminals and the owners will ever discover those flaws, and you'll have to wait for the owners to fix it. And you'll have to continue paying for their service. But of course, with your business given to them, at least it gets some real attention by professionals dedicated to solving it to keep their customers happy.

Ultimately, it looks to weigh about the same.
Eikka
not rated yet Mar 21, 2014
That appears off to me.


The point is that there is no such thing as a perfect system. There will always be exploitable flaws. This is not a question about proprietary versus free software, but about the fact that only an idiot would pick up publicly available code, run it without modifications, and call that secure when it's just a matter of time and luck before someone pokes a hole in it and uses that hole to steal your credit card data.

A single dedicated hacker will find more bugs to exploit than a thousand mediocre system admins who never actually take a look at the source code of the software they're running anyhow, much less understand it. That's not a part of their job description.
Eikka
5 / 5 (1) Mar 21, 2014
Ultimately, it looks to weigh about the same.


It's actually worse, because if someone discovers a flaw, they cannot send out a fix in silence before it is exploited. The moment you submit the bug or hole, before a fix is even made, it's all public knowledge and everyone is open to attacks.

In keeping with the burglar alarm analogy, instead of the company sending you a letter and a box saying "You really should replace switch X with this switch provided here.", someone shouts at a street corner "Mr. Noddington here has an alarm system with a broken switch X!" and then you have to sit there a couple nights with a shotgun in your lap before someone comes up with a spare.