Click on this link to view a pdf of Operation Windigo.
If your system is infected, it is strongly recommended that you re-install the operating system. Be sure to consider all credentials used to log the compromised machine when restoring your system.
If you are a victim, all the passwords, doesn’t matter if its private OpenSSH or public should be changed.
The attack has been named “Windigo” after the mythical creature from Algonquian Native American folklore.
This attack has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from the compromised machines.
Hackers have been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware. This displays website adverts to Mac users.
Windigo spam even finds its way to smartphone users. iPhones are redirected to X-rated content, with the intention of making money for the cyber criminals.
ESET’s security research team released a detailed technical paper into “Operation Windigo”, and says it believes that the cybercrime campaign is gathering strength. This has gone largely unnoticed by the security community for almost three years.
That is quite some time not to notice such a security issue.
“Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over a half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements, ” said ESET security researcher Marc-Étienne Léveillé.
Windigo’s tackle to hijack servers and infect computers uses a knot of sophisticated malware components along with Linux/Ebury (an Open SSH backdoor and credential stealer that was the subject of a detailed investigation by ESET researchers earlier this month). Linus/Cdorked, Pear./Calfbot, Linus/Onimiki, Win32/Glubteba.M, and Win32/Boaxxe.G.
In one weekend, ESET researchers saw more than 1.1 million different IP addresses going through part of Windigo’s infrastructure, before it was redirected to servers hosting exploit kits.
This is an analysis of the visiting computers revealed with the range of operating systems being used.
Researchers have discovered that “23 people apparently still browse the Internet on Windows 98, and one person even does it on Windows 95.”
Léveillé and his fellow researchers are very appealing for Unix system administrators and webmasters to run the command below. The command will tell them if their server is compromised or not:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
The Unix command will let you tell you if your system is really compromised or not by Windigo. This will also help you figure out if your system needs some care to take steps to clean-up and better protect your servers in the future.
You can learn more about Operation Windigo and how to tell if your server has been compromised from ESET [PDF].
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.
References:Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo – We Live Security