Cyber criminals using sophisticated malware are compromising thousands of Unix-based servers, spewing spam and redirecting a half million Web users to malicious content per day!
Dubbed Operation Windigo, the attack on-going for over two and a half years compromising as many as 25,000 servers at one time, anti-virus vendor ESET said Systems infected with the backdoor Trojan are used in stealing credentials, redirecting Web traffic to malicious content and sending as many as 35 million spam messages a day.
ESET investigated the criminal operation in collaboration with CERT-Bund and the Swedish National Infrastructure for Computing. Compromised servers being found throughout the U.S., Germany, France, and the United Kingdom.
Operating systems affected by the spam component of the operation include
- Linux, FreeBSD
- OS X
With more than 60% of the world’s websites running on Linux servers, ESET researchers are warning Web masters and system administrators to check their systems for infection. ESET found that compromised servers had infected with the Ebury OpenSSH backdoor. The network is particularly virulent, because each of these systems have significant bandwidth, storage, computing power and memory.
Linux/Ebury is a particularly stealthy malware, ESET said. Its creators are careful to deploy the backdoor while avoiding landing files on the file system. They also leave no trace in log files when using the backdoor. In addition, the malware configurations loaded onto systems are stored in memory, if the system is rebooted the configurations go away. Making it difficult for forensics experts to determine what the creators were able to do in the system.
“What you’re able to do in terms of forensics will be to analyze the binary files you’ll find in the malware, but you won’t find the configuration,” ESET security researcher Marc-Étienne Léveillé said.
For encrypted communications, the creators install the backdoor in the OpenSSH instance in the servers. OpenSSH, or OpenBSD Secure Shell, is a set of computer programs that use the SSH protocol in providing encrypted communications over a computer network.
Ways to derail the malware campaign includes using two-factor authentication, which will be make the stolen credentials unusable, Léveillé said. Keeping the OS and installed software up-to-date would also be a good defense.
Computers visiting an infected server and redirected to malicious a Web page encounter an exploit kit that checks for older software with vulnerabilities it can exploit, Léveillé said.