Security researchers from ESET, CERT-Bund and other agencies have been monitoring a cybercriminal operation in which over 25,000 UNIX servers have been infected and abused over the past two years. The campaign has been dubbed “Windigo” (the name of a mythical creature from Algonquian Native American folklore).
Infected servers are being used to send out 35 million spam emails each day, putting around 500,000 computers at risk of getting infected with malware.
“Each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.
Most of the impacted servers are located in the US, Germany, France and the UK. Many of the affected servers belong to hosting providers. The list of victims includes companies such as cPanel and kernel.org.
ESET has been investigating the campaign for around one year. In total, 25,000 servers have been infected, over 10,000 of which still are.
Mac users are not ignored by the cybercriminals who run the operation. While Windows users are directed to malware-serving exploit kits, people who visit the infected websites from Macs are redirected to adult content or served ads for dating sites.
Léveillé highlights the fact that the Ebury backdoor deployed by the attackers doesn’t exploit Linux or OpenSSH vulnerabilities. Instead, it’s manually planted.
“The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment,” the expert said.
Pierre-Marc Bureau, security intelligence program manager at ESET, has told Softpedia that they’ve decided to investigate the campaign because cybercriminal operations that rely on Linux malware are not something we get to see every day, particularly when it comes to an operation as complex as Windigo.
Bureau says that this is the biggest botnet of servers they have ever seen. The expert says that it’s difficult to determine precisely who is behind the campaign. What they do know is that the bot masters are skilled in programming and the administration of Linux systems. Additionally, they’re probably well connected in the underground, considering their capabilities to send spam and install malware.
Administrators who suspect that their servers might be compromised can run the following command to check:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
Infected devices should be wiped and the operating system and software should be reinstalled. Since the malware distributed in the campaign is designed to steal information, it’s important that all passwords and private keys are changed.
In order to protect themselves against Windigo and similar operations, organizations are advised to utilize two-factor authentication and monitor for changes in critical services.
The complete paper of the Windigo operation is available on ESET’s website.