Linux Operation Windigo hit 500000 PC and 25000 dedicated servers

Pierluigi Paganini March 19, 2014

Antivirus Firm ESET has been tracking and investigating the operation behind Linux_Ebury uncovering a sophisticated campaign called Operation Windigo.

Operation Windigo is the name of a sophisticated malware-based campaign uncovered by security Experts at ESET, that exploiting the Linux/Ebury backdoor has impacted more 500,000 computers and 25,000 dedicated servers.

ESET Researchers collaborated with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and many other agencies to counteract the malicious campaign that affected numerous countries including US, Germany, France, Italy, Great Britain, Netherlands, Russian Federation, Ukraine, Mexico and Canada.

operation windigo Geo infection

At the end of 2013 security experts detected thousands of infected Linux systems all around the around. The victims’ systems were infected  by an OpenSSH backdoor trojan and credential stealer named Linux/Ebury, the malware allows hackers to take control of the affected victims’ PC.

operation windigo

Researchers at ESET antivirus firm have conducted a deep investigation on the Linux/Ebury backdoor, discovering the large-scale campaign dubbed Operation Windigo has been ongoing since at least 2011.

“We discovered an infrastructure used for malicious activities that is all hosted on compromised servers. We were also able to find a link between different malware components such as Linux/Cdorked, Perl/Calfbot and Win32/Glupteba.M and realized they are all operated by the same group.”

The compromised infrastructures were used to steal SSH credentials, hijack Internet user to malicious websites and send spam.

The attackers behind the Operation Windigo don’t exploit zero-day against Linux or Unix systems, they exploit known weaknesses to build and maintain their botnet.

The Operation Windigo hit popular entities, like the Linux Foundation and cPanel, the hackers compromised a wide range of operating systems, including Apple OS X, FreeBSD, OpenBSD,  Microsoft Windows (through Cygwin) and Linux, including Linux on the ARM architecture.

“Malicious modules used in Operation Windigo are designed to be portable. The spam-sending module has been seen running on all kinds of operating systems while the SSH backdoor has been witnessed both on Linux and FreeBSD servers.” states ESET report.

ESET experts revealed that the quality of the malicious code used is high, the attackers demonstrated a deep knowledge of Linux platforms, the HTTP backdoor can infect Apache’s httpd, Nginx and lighttpd

web servers. The attackers adopted various techniques depending on the level of access they have on the targeted environment.

“No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged. We conclude that password-authentication on servers should be a thing of the past” According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today.” ESET reported, “using the Linux/Ebury OpenSSH backdoor

It has been estimated that the cyber criminals responsible for the Operation Windigo compromised an impressive number of machines  using them for malicious activities, for example sending more than 35,000,000 spam messages per day.

“If victim will use a Smartphone to surf the malicious link from Spam mails, they will be redirected to Porn sites, with the intention of making money.”

The report also provides the instructions to easily discover if systems have been infected, administrators can use run the following unix/linux command:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

It strongly suggested to the victims of Operation Windingo to re-install the system or re-set all passwords and private OpenSSH keys.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Linux, Operation Windigo)

[adrotate banner=”13″]


you might also like

leave a comment