25,000 Linux and Unix Servers Compromised in Operation Windigo

Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”. Since the campaign began in 2011, more than 25,000 Linux and Unix servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims. Targeted operating systems include OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.

The paper lists three main malicious components (ESET detection names):

• Linux/Ebury – an OpenSSH backdoor used to control servers and steal credentials
• Linux/Cdorked – an HTTP backdoor used to redirect Web traffic
• Perl/Calfbot – a Perl script used to send spam

Lengthy campaigns by malicious attackers have become commonplace. With the appropriate resources, motivation, and desire, attackers can obtain significant rewards for their efforts. While some campaigns focus on targeting specific organizations to identify and exfiltrate sensitive information, the goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads.
 

Symantec protection

Symantec customers are protected against malware used in Operation Windigo with the following signatures:

AV

• Backdoor.Trojan
• Linux.Cdorked
• Linux.SSHKit
• Linux.SSHKit!gen1
• Trojan.Dropper
• Trojan.Tracur!gen5
• Trojan.Tracur!gen8

IPS

• System Infected: Festi Rootkit Activity

More details on ESET’s discovery of Operation Windigo is available on their blog.