Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Uncover Attack Campaign Leveraging 25,000 Unix Servers

Operation Windigo Infects Linux Servers

A team of security researchers has uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world.

Operation Windigo Infects Linux Servers

A team of security researchers has uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world.

The finding was made by researchers from ESET, CERT-Bund, the Swedish National Infrastructure for Computing and other agencies. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling ‘Operation Windigo.’ Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as much as 35 million spam messages a day.

“Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,” said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement. “This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power and memory.”

Infected servers have been identified in the U.S., Germany, France and the U.K. According to the researchers, they are believed to redirect as many as half a million web visitors a day to malicious content. Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, while Mac users are typically served advertisements for dating sites. iPhone owners are redirected to sites with adult content. 

Operating systems altered by the spam component include Linux, FreeBSD, OpenBSD, Mac OS X and Windows, ESET said.

ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present. 

According to ESET, Unix system administrators and webmasters can run the following command to see if their server is compromised or not:

Advertisement. Scroll to continue reading.

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

If systems are found to be infected, ESET has advised administrators to wipe affected computers and reinstall the operating system and software. For a higher level of security in the future, technology such as two-factor authentication should be considered, ESET said.

As SecurityWeek highlighted last month, there are many misconceptions around Linux security and attacks are not something only Windows users need to worry about.

“There is a perception out there that Linux systems don’t need additional security,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab, said at the Kaspersky Lab Security Analyst Summit last month. “This is a problem since Linux servers are increasingly coming under attack, he said.” The main threats facing Linux systems aren’t zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. 

In October 2012, attackers breached several Web servers and installed a version of the“itsoknoproblembro” toolkit in order to launch a series of powerful DDoS attacks against banks and other financial institutions in the United States. The toolkit runs on both Linux and Windows.

In November 2013, Symantec discovered that a group of sophisticated attackers developed a way to evade detection by using a Linux backdoor designed to hide communications.

The full report on Operation Windigo from ESET is available here

*Additional reporting by Mike Lennon

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.