Connect with us

Hi, what are you looking for?



Backdoor Attacks From Windigo Operation Still Active

Windigo, a malicious operation uncovered over three years ago, continues to be active despite a takedown attempt in 2014 and the sentencing of one conspirator in August 2017.

Windigo, a malicious operation uncovered over three years ago, continues to be active despite a takedown attempt in 2014 and the sentencing of one conspirator in August 2017.

At the core of Windigo was Linux/Ebury, an OpenSSH backdoor and credential stealer that was estimated to have infected over 25,000 servers worldwide during a two and a half year period prior to the botnet’s discovery. The systems were being abused to steal credentials, redirect web traffic to malicious sites, and send in excess of 30 million spam messages a day.

The operation was uncovered by ESET researchers who worked together with CERT-Bund, the Swedish National Infrastructure for Computing, and other agencies to take it down. In 2015, Finnish authorities apprehended Maxim Senakh, one of the conspirators behind the operation. He was extradited to the United States last year and sentenced to 46 months in federal prison in August this year.

While security researchers did notice a significant drop in the Windigo activity related to the web traffic redirection following Senakh’s arrest, the malicious operation was not put to rest completely, and the Ebury backdoor has evolved, ESET warns.

A new version of the malware that was discovered in February this year shows that its authors focused on evasion and on improving botnet’s resilience against takeover attempts. Furthermore, the malware now packs a new mechanism to hide the malicious files on the filesystem, the researchers discovered.

The malware continues to use a domain generation algorithm (DGA) for data exfiltration if the operator hasn’t connected to the infected system via the OpenSSH backdoor for three days, but changes were made to the DGA itself, ESET reveals.

Ebury now includes self-hiding techniques the researchers refer to as a “userland rootkit.” For that, the malware hooks the readdir or readdir64 function to list directory entries. Should the Ebury shared library file be the next directory structure to return, the hook skips it and returns the subsequent entry instead.

Advertisement. Scroll to continue reading.

To activate the hooks, Ebury injects its dynamic library into every descendant process of sshd. Thus, Ebury’s dynamic library is loaded when the new process is executed, and the malware’s constructor is called, executing the hooking routines.

In addition to being Linux-distribution-specific, earlier versions of the backdoor used to work only on very specific versions of OpenSSH, but the newer version replaced the OpenSSH patching routines with function hooking. Thus, the researchers were able to execute the malware on multiple Linux distributions.

The threat also features a hardened backdoor mechanism that no longer relies on a password encoded in the SSH client version string. Now, the backdoor’s activation requires a private key to authenticate, an extra check supposedly added to prevent unauthorized use of Ebury-compromised servers.

The new version of Ebury features new installation methods, the security researchers discovered. Just as previous versions, the malware adds the payload inside the library, but does it differently than before, and also has different deployment scripts and techniques based on the Linux distribution running on the targeted system.

“Ebury now uses self-hiding techniques and new ways to inject into OpenSSH related processes. Furthermore, it uses a new domain generation algorithm (DGA) to find which domain TXT record to fetch. The exfiltration server IP address is concealed in these data, signed with the attackers’ private key. An expiration date was added to the signed data to defend against signature reuse, thus mitigating potential sinkhole attempts. Windigo’s operators regularly monitor publicly shared IoCs and quickly adapt to fool available indicators,” ESET concludes.

Related: Researchers Uncover Attack Campaign Leveraging 25,000 Unix Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...