Subscribe

Linux servers under attack by Windigo

Regina Pazvakavambwa
By Regina Pazvakavambwa, ITWeb portals journalist.
Johannesburg, 07 Apr 2014
If a server is infected by Windigo, visitors to that Web site will be redirected to malicious content before reaching their target Web page, says Lee Bristow, security consultant for ESET.
If a server is infected by Windigo, visitors to that Web site will be redirected to malicious content before reaching their target Web page, says Lee Bristow, security consultant for ESET.

IT security company ESET has discovered a worldwide cyber criminal campaign targeting Linux servers, which it has named Operation Windigo.

The main component of Operation Windigo is Linux/Ebury, says Lee Bristow, security consultant at ESET. He explains that this malware spreads by stealing SSH credentials. A human then uses the stolen credentials to log in to the compromised servers and install the credential-stealing code, Bristow adds.

According to an ESET report, 25 000 servers and 50 000 computers worldwide have been infected and Bristow says more than 100 servers in SA were compromised over the past 12 months.

If a server is infected by Windigo, visitors to that Web site will be redirected to malicious content before reaching their target Web page, Bristow notes. ESET discovered that the hackers make profit by infecting Web users' computers through downloads, spam and redirecting Web traffic to advertisement networks.

"The culprits of this attack are after money. Sending spam, performing click fraud and redirecting Web traffic all have significant value on the underground market," says Bristow.

While some experts have spotted elements of the Windigo cyber criminal campaign, the sheer size and complexity of the operation has remained largely unrealised by the security community, says ESET.

"Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10 000 servers under its control," says ESET security researcher Marc-'Etienne L'eveill'e.

"Over 35 million spam messages are being sent every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit Web sites that have been poisoned by Web server malware planted by Operation Windigo, which then redirects users to malicious exploit kits and advertisements."

Interestingly, ESET adds, although Windigo-affected Web sites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content.

ESET has published a report on Operation Windigo to help educate users and system administrators and give them proper tools to defend against the malware. Bristow advises that using two-factor authentications and not using the same password on two different systems are two easy steps to protect against credential-stealing attacks.

"This is what we have achieved by publishing our report: the list of indicators of compromises and, of course, adding detection for each component in our security product. We are also collaborating with an international working group to notify victims and help them clean their systems," he says.

The report listed cPanel and the Linux Foundation as among the known servers and organisations that were infected by this Trojan. The targeted operating systems include Linux and even Windows, with the US as the top affected country.

Share