Incident Response, Malware, TDR

“Windigo” Op infected 25,000 servers to bolster spam, malware campaign

By using a backdoor trojan to compromise thousands of Unix and Linux servers, attackers have been able sustain a far reaching spam and malware campaign.

On Tuesday, security firm ESET published a white paper (PDF) detailing “Operation Windigo,” which has infected more than 25,000 servers worldwide in the last two years.

In collaboration with Germany's CERT-Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN), and other organizations that formed an international working group, ESET figured out Windigo's complex attack cycle.

According to the 69-page white paper, an OpenSSH backdoor, dubbed Linux/Ebury, that steals administrators' credentials ultimately gives Windigo attackers the ability to redirect end-users to malicious content or spam their accounts with messages.

Among the servers in 110 countries that have been impacted by Operation Windigo, the majority are in the United States, Germany, France, Italy and the U.K. ESET estimates that there are currently more than 10,000 infected servers worldwide, and that Windigo is responsible for sending around 35 million spam messages a day to end-users.

On Tuesday, Pierre-Marc Bureau, security intelligence program manager at ESET, told that researchers haven't determined how the initial backdoor infected servers, but that attackers are able to financially benefit from the operation through numerous channels.

“The backbone of the operation is the SSH backdoor, that is used to maintain control over the infected servers and also to steal more credentials,” Bureau said. “Once the attacker steals credentials, he can use it for various purposes, such as to send spam by using a script [or] they can install another [malware] component to redirect visitors to advertisements for click fraud, or to [exploit] pages.”

End-users on mobile devices have also fallen victim to the redirect scams, Bureau explained, as the campaign serves different content to users depending on what kind of device they are on. iPhone users, for instance, are redirected to x-rated advertisements, while Windows PC users are redirected to exploit pages, and Mac users, dating site adverts.

“It is a very complex operation. The message we are trying to send out is to system administrators – to make sure they clean their servers and understand how this can have an impact on their web visitors,” Bureau added.

In its white paper, ESET provided an appendix highlighting indicators of compromise (IOC), which can be used by system administrators and large hosting providers alike to identify infection. A section on how to clean infected servers was also included in the paper.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.