Operation Windigo Infects 25,000 Linux Servers Over Two Years

Security researchers at ESET have discovered an extensive malware campaign that managed to take control of at least 25,000 Linux-based servers over the last two years.

‘Operation Windigo’, named after a violent creature appearing in Native American legends (also spelled Wendigo), uses the Linux/Ebury OpenSSH backdoor in combination with other malware strains to steal user credentials and send spam messages. In addition, every day the infected servers are used to redirect half of a million visitors to websites hosting malicious content.

In response, ESET has started an awareness campaign, urging administrators to check their systems for the signs of Windigo infection.

“Webmasters and IT staff already have a lot of headaches and things on their mind, so we hate to add to their workload – but this is important.  Everyone wants to be a good net citizen, and this is your chance to play your part and help protect other internet users,” says ESET security researcher Marc-Étienne Léveillé.

“The last thing anyone should want is to be part of the problem, adding to the spread of malware and spam. A few minutes can make the difference, and ensure you are part of the solution.”

Beware the Windigo

ESET had started looking into the outbreak of Linux/Ebury in 2013. This trail has led them to uncover a massive operation that uses Linux malware to gain access to the servers, and then redirects individual users to websites hosting an arsenal of malware including Linux/Cdorked, Perl/Calfbot, Linux/Onimiki, Win32/Glubteba.M, and Win32/Boaxxe.G.

While tracking down Operation Windigo, the company collaborated with organisations including the Swedish National Infrastructure for Computing, CERT-Bund and even CERN.

It appears Windigo has managed to assemble considerable bandwidth, storage and computing resources. More than 10,000 servers are still infected and controlled by the hackers today, giving them the ability to send more than 35,000,000 spam messages daily. Known Windigo victims include popular Web hosting service cPanel.net and the main server of the Linux Kernel Archives.

“The Ebury backdoor deployed by the Windigo cybercrime operation does not exploit a vulnerability in Linux or OpenSSH,” explainss Léveillé. “Instead it is manually installed by a malicious attacker. The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment.”

ESET says that while Windigo-affected websites attempt to infect visiting Windows computers with malware through an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic content.

With the help of its partners ESET has already notified thousands of victims, and hopes that the whitepaper, which provides extensive guidance to help system administrators and network operators determine if servers are compromised, will raise awareness about this particular campaign. To make the process easier, the company has developed a simple UNIX command that instantly tells sysadmins whether they should be worried.

ESET recommends the affected machines to be wiped before re-installing the operating system, and says existing credentials should be considered compromised.

“We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks,” concludes Léveillé.

What do you know about Linux? Take our quiz!