Categories: Cyber CrimeMalware

Linux Operation Windigo hit 500000 PC and 25000 dedicated servers

Antivirus Firm ESET has been tracking and investigating the operation behind Linux_Ebury uncovering a sophisticated campaign called Operation Windigo.

Operation Windigo is the name of a sophisticated malware-based campaign uncovered by security Experts at ESET, that exploiting the Linux/Ebury backdoor has impacted more 500,000 computers and 25,000 dedicated servers.

ESET Researchers collaborated with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and many other agencies to counteract the malicious campaign that affected numerous countries including US, Germany, France, Italy, Great Britain, Netherlands, Russian Federation, Ukraine, Mexico and Canada.

At the end of 2013 security experts detected thousands of infected Linux systems all around the around. The victims’ systems were infected  by an OpenSSH backdoor trojan and credential stealer named Linux/Ebury, the malware allows hackers to take control of the affected victims’ PC.

Researchers at ESET antivirus firm have conducted a deep investigation on the Linux/Ebury backdoor, discovering the large-scale campaign dubbed Operation Windigo has been ongoing since at least 2011.

“We discovered an infrastructure used for malicious activities that is all hosted on compromised servers. We were also able to find a link between different malware components such as Linux/Cdorked, Perl/Calfbot and Win32/Glupteba.M and realized they are all operated by the same group.”

The compromised infrastructures were used to steal SSH credentials, hijack Internet user to malicious websites and send spam.

The attackers behind the Operation Windigo don’t exploit zero-day against Linux or Unix systems, they exploit known weaknesses to build and maintain their botnet.

The Operation Windigo hit popular entities, like the Linux Foundation and cPanel, the hackers compromised a wide range of operating systems, including Apple OS X, FreeBSD, OpenBSD,  Microsoft Windows (through Cygwin) and Linux, including Linux on the ARM architecture.

“Malicious modules used in Operation Windigo are designed to be portable. The spam-sending module has been seen running on all kinds of operating systems while the SSH backdoor has been witnessed both on Linux and FreeBSD servers.” states ESET report.

ESET experts revealed that the quality of the malicious code used is high, the attackers demonstrated a deep knowledge of Linux platforms, the HTTP backdoor can infect Apache’s httpd, Nginx and lighttpd

web servers. The attackers adopted various techniques depending on the level of access they have on the targeted environment.

“No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged. We conclude that password-authentication on servers should be a thing of the past” According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today.” ESET reported, “using the Linux/Ebury OpenSSH backdoor

It has been estimated that the cyber criminals responsible for the Operation Windigo compromised an impressive number of machines  using them for malicious activities, for example sending more than 35,000,000 spam messages per day.

“If victim will use a Smartphone to surf the malicious link from Spam mails, they will be redirected to Porn sites, with the intention of making money.”

The report also provides the instructions to easily discover if systems have been infected, administrators can use run the following unix/linux command:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

It strongly suggested to the victims of Operation Windingo to re-install the system or re-set all passwords and private OpenSSH keys.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Linux, Operation Windigo)

[adrotate banner=”13″]

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

3 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

10 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

21 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.