Wednesday 19 March 2014

Operation Windigo: 25,000 Linux servers infected by malware


In cooperation with the CERT-Bund, the Swedish National Infrastructure for Computing and other institutes, ESET's malware researchers have uncovered an attack by cyber-criminals, currently more than 25,000 Unix monitored worldwide server.
High level perspective of Windigo’s components and their relationship

Due to the attack, the security experts "Operation Windigo" call servers are infected, which then send out millions of spam e-mails. But the criminals have developed a complex system of sophisticated malware components. This pirate servers, infect visiting computers and steal information. Among the victims of "Operation Windigo" include cPanel and kernel.org.
ESET released today under welivesecurity.com / windigo a detailed document that represents the results of the studies and an analysis of malware. A guide provides information about how users can check their own system for infection. In addition, ESET shows how the malicious code can be removed.
Operation Windigo: Over three years have gone unnoticed
While experts have encountered early on parts of Windigo, the full extent and complexity of these cyber criminal organization in the professional sector has remained undetected.


Flowchart of Windigo’s credential stealing scenario
"Windigo has largely won unnoticed by the security community in more than two and a half years in strength and taken control of over 10,000 servers," says ESET security researcher Marc-Etienne Leveille. "More than 35 million spam messages sent every day to the e-mail accounts of innocent users. These clog inboxes and compromise computer systems.'s Worse is that every day half a million computers are running the risk of becoming newly infected. Visiting a web page whose server has been infected by the 'Operation Windigo', ends on dangerous exploit kits or with unwanted advertising. "
Although sites were infected by Windigo Windows computers only contaminate an exploit kit with malware, even Mac users get advertisements for dating sites. iPhone owners will be redirected to pages with pornographic content.
Sysadmins are encouraged to take action against Windigo
About 60 percent of the world's websites run on a Linux server. ESET researchers ask webmasters and system administrators to review their systems to infection.
"Webmasters and IT professionals generally have much going on why we're sorry that we can make them even more work -.. However it is important it is to protect their opportunity and perhaps even duty, other Internet users," says Leveille. "Everyone should strive to prevent the spread of malware and spam. A few minutes can make a big difference and contribute to the solution."
Timeline of Events

Quick-Check for Server
The ESET experts advise Unix server administrators and webmasters, perform the following command. He is quick indication of whether the own server is compromised:
$ ssh-G 2> & 1 | grep-e-e illegally unknown> / dev / null && echo "System clean" | | echo "system infected"
In the case of an established infection ESET recommends to clean the affected computer completely and reinstall the operating system and the software. It is imperative to use new passwords and private keys. The existing credentials might be compromised.
Bitter medicine for Windigo victims
"The Ebury backdoor that was used by 'Operation Windigo', does not use the weaknesses of Linux or OpenSSH from" Leveille continues. "Instead, they will be installed manually by the attacker. It's scary that the cyber criminal group has done this successfully on thousands of different servers. During antivirus programs and two-factor authentication on clients are common, they are rarely on the protection of servers employed. This makes in relation to the theft of access and malware rankings quite vulnerable. "
Should therefore be message in the future about it for a greater degree of protection, also use technologies, such as two-factor authentication.
"We know that cleaning the server and the rebuilding of the systems is a very bitter pill. If attackers have but stolen or cracked administrators access data and were able to establish a remote access to the server, which is the only safe way," said Leveille. "Unfortunately, some of the victims, to whom we have contact, so far done nothing to clean up their systems - and thus bringing other Internet users at risk." All computer users should always remember never to use passwords that are easy to crack or have been used.
More information
A Detailed report on "Operation Windigo" is located here: Eset

No comments:

Post a Comment