A collaboration between ESET security researchers, CERT-Bund, the Swedish National Infrastructure for Computing, the CERN and other security agencies, helped uncover a seriously big cyber-attack campaign that took control of over 25,000 Unix servers on an international scale.
The attack was code-named “Operation Windigo” by the security researchers who finally uncovered the mystery. ESET reported the attack being “large and sophisticated”, purported by a group of malicious criminals who stole SSH credentials, redirected browsing traffic to malware sites and sent out mass spam for at least the past 3 years. Back in August 2011, The Linux Foundation announced that several of their servers as well as hundreds of kermel.org users had been compromised by sophisticated malware. Multiple news articles surfaced at the same time describing what little was known about the several attacks detected, but a conclusion was never reached.
The malware had such a great ability to cross over platforms and remain undetected by many system administrators for a long time. It is said that up to half of a million web visitors were redirected to malicious sites every day. That’s right 500,000 computers daily. Windows users are reported to have got the worst end being redirected to malware, while OSX and iOS users found to have a higher percentage of spam scammers or adult rated ads showing up on their devices instead.
The infected servers have been reported to have sent out millions of emails containing spam and malware. Informational theft was confirmed and big players such cPanel and kernel.org made the list of the attacked victims.
ESET released a complete and well documented 61 page report of the collective analysis done to uncover the attacks and how the malware operated. The backdoor Trojan’s complexity was described as being an example of the weak protection today’s operation systems provide. Advising the programming level has to improve to render the systems more capable of defending against new age attacks.
Here is the list of “Key Findings” presented at the start of the document;
• The Windigo operation has been ongoing since at least 2011
• More than 25,000 unique servers have been compromised in the last two years
• A wide range of operating system have been compromised by the attackers; Apple OS X,
OpenBSD, FreeBSD, Microsoft Windows (through Cygwin) and Linux, including Linux
on the ARM architecture
• Malicious modules used in Operation Windigo are designed to be portable. The spam-sending
module has been seen running on all kinds of operating systems while the SSH backdoor has been
witnessed both on Linux and FreeBSD servers
• Well known organizations including cPanel and Linux Foundation fell victim of this operation
• Windigo is responsible for sending an average of 35 million spam messages on a daily basis
• More than 700 web servers are currently redirecting visitors to malicious content
• Over half a million visitors to legitimate websites hosted on servers compromised by Windigo
are being redirected to an exploit kit every day
• The success rate of exploitation of visiting computers is approximately 1%
• The malicious group favors stopping malicious activity over being detected
• The quality of the various malware pieces is high: stealthy, portable, sound cryptography
(session keys and nonces) and shows a deep knowledge of the Linux ecosystem
• The HTTP backdoor is portable to Apache’s httpd, Nginx and lighttpd
• The gang maximizes available server resources by running different malware and activities
depending on the level of access they have
• No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.
We conclude that password-authentication on servers should be a thing of the past
The paper also includes guidance to detect if any given computer is infected and how to remove the virus. Visit their download page blog here or download the ‘Operation Windigo’ paper here. Finally, you can find some good information for VPN services for your Windows or Mac machines.