Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Uncover Attack Campaign Leveraging 25,000 Unix Servers

Operation Windigo Infects Linux Servers

A team of security researchers has uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world.

Operation Windigo Infects Linux Servers

A team of security researchers has uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world.

The finding was made by researchers from ESET, CERT-Bund, the Swedish National Infrastructure for Computing and other agencies. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling ‘Operation Windigo.’ Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as much as 35 million spam messages a day.

“Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,” said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement. “This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power and memory.”

Infected servers have been identified in the U.S., Germany, France and the U.K. According to the researchers, they are believed to redirect as many as half a million web visitors a day to malicious content. Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, while Mac users are typically served advertisements for dating sites. iPhone owners are redirected to sites with adult content. 

Operating systems altered by the spam component include Linux, FreeBSD, OpenBSD, Mac OS X and Windows, ESET said.

ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present. 

According to ESET, Unix system administrators and webmasters can run the following command to see if their server is compromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

If systems are found to be infected, ESET has advised administrators to wipe affected computers and reinstall the operating system and software. For a higher level of security in the future, technology such as two-factor authentication should be considered, ESET said.

As SecurityWeek highlighted last month, there are many misconceptions around Linux security and attacks are not something only Windows users need to worry about.

“There is a perception out there that Linux systems don’t need additional security,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab, said at the Kaspersky Lab Security Analyst Summit last month. “This is a problem since Linux servers are increasingly coming under attack, he said.” The main threats facing Linux systems aren’t zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. 

In October 2012, attackers breached several Web servers and installed a version of the“itsoknoproblembro” toolkit in order to launch a series of powerful DDoS attacks against banks and other financial institutions in the United States. The toolkit runs on both Linux and Windows.

In November 2013, Symantec discovered that a group of sophisticated attackers developed a way to evade detection by using a Linux backdoor designed to hide communications.

The full report on Operation Windigo from ESET is available here

*Additional reporting by Mike Lennon

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.