Unix botnet ‘Windigo’ spreads spam and malware

March 21, 2014

Security researchers have discovered Unix botnet which has generated massive amount of malware over the last two years. While I was reading their report (PDF) it is clear Linux servers are not longer secure. Codenamed “Operation Windigo,” the botnet was discovered and reported by antivirus software-maker ESET, working with an international task force consisting of the German Computer Emergency Response Team and the Swedish National Infrastructure for Computing, among others. A mass compromise of Linux servers, used to steal credentials and redirect traffic to malicious content. Security firm ESET analyzed what it termed a global malware campaign that used a backdoor in OpenSSH, an open source version of the remote access interface Secure Sockets Shell used to administer servers. Over the past twenty four months, ESET says more than 25,000 servers were affected and of these, over 10,000 remain infected today. As malware goes, Windigo operates by doing everything from redirecting traffic to compromised sites, to sending millions of spam emails every day for at least more than two years. According to ESERT, Windigo is said to have commandeered 25,000 UNIX servers using a Trojan, stealing credentials and data from its targets.

Apart from Linux servers that have been abused through the OpenSSH Ebury backdoor, also the systems running on OS X, OpenBSD, FreeBSD and Microsoft Windows through the Cygwin layer have all been compromised. ESET Security Researchers says that Windigo attacks more than 500,000 targets per day and according to them people are exchanging data with servers all over the world when browsing websites and receiving emails, and so are potentially opening themselves up to other infected servers as well. ESET says Windigo infestation campaign forms a huge, complex network that builds supporting infrastructure using nginx reverse proxies, TinyDNS resolvers for domain name lookups, SSH tunnels for encrypted command and data communications and deployment of Windows-based malware in drive-by attacks on visitors to infected sites. While the operators behind Windigo were not named by ESET, the security vendor said they have been active since 2011. Windigo is also responsible for sending 35 million spam messages a day, according to ESET and to prevent infection of systems, they suggest disabling root login through SSH along with passwords. SSH Agent Forwarding instead of copying over private keys to servers was also recommended, as was two-factor authentication.

Contador Harrison