Click on this link to view a pdf of Operation Windigo.
If your system is infected, it is strongly recommended that you re-install the operating system. Be sure to consider all credentials used to log the compromised machine when restoring your system.
If you are a victim, all the passwords, doesn’t matter if its private OpenSSH or public should be changed.
The attack has been named “Windigo” after the mythical creature from Algonquian Native American folklore.
This attack has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from the compromised machines.
Hackers have been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware. This displays website adverts to Mac users.
Windigo spam even finds its way to
smartphone users. iPhones are redirected to X-rated content, with the
intention of making money for the cyber criminals.
ESET’s security research team released a
detailed technical paper into “Operation Windigo”, and says it believes
that the cybercrime campaign is gathering strength. This has gone
largely unnoticed by the security community for almost three years.
That is quite some time not to notice such a security issue.
“Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over a half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements, ” said ESET security researcher Marc-Étienne Léveillé.
Windigo’s tackle to hijack servers and
infect computers uses a knot of sophisticated malware components along
with Linux/Ebury (an Open SSH backdoor and credential stealer that was
the subject of a detailed investigation by ESET researchers earlier this
month). Linus/Cdorked, Pear./Calfbot, Linus/Onimiki, Win32/Glubteba.M,
and Win32/Boaxxe.G.
In one weekend, ESET researchers saw more
than 1.1 million different IP addresses going through part of Windigo’s
infrastructure, before it was redirected to servers hosting exploit
kits.
This is an analysis of the visiting computers revealed with the range of operating systems being used.
Researchers
have discovered that “23 people apparently still browse the Internet on
Windows 98, and one person even does it on Windows 95.”
Léveillé and his fellow researchers are
very appealing for Unix system administrators and webmasters to run the
command below. The command will tell them if their server is
compromised or not:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
The Unix command will let you tell you if
your system is really compromised or not by Windigo. This will also
help you figure out if your system needs some care to take steps to
clean-up and better protect your servers in the future.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.
References:
Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo – We Live Securityhttp://www.welivesecurity.com/2014/03/18/attack-unix-operation-windigo/
No comments:
Post a Comment