Uncovering “Operation Windigo”

Hackers have been able to develop a strong distribution platform for spam and malware by using a backdoor Trojan to infect Unix servers worldwide. In last couple of years, over 25,000 Unix servers have been infected.

ESET, an anti-virus firm, has recently issued a report describing ‘Windigo’. The security firm in association with the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing, CERT-Bund and other agencies has uncovered ‘Operation Windigo’.

The Windigo attackers are usingOpenSSH backdoor and credential stealer (Linux/Ebury) to steal credentials of system administrators. Thehackers then exploit the credentials to redirect web visitors to malicious exploit pages and ads.

ESET confirms that around 10,000 servers are infected worldwide by Operation Windigo. Around 35 million spams are being sent daily to end-users. Servers in the US, Italy, the UK, France and Germany are majorly impacted by this spam and malware campaign.

As per a security intelligence program manager at ESET, their researchers are yet to find out how the OpenSSHbackdoor attacked servers initially. However, the hackers possibly do benefit financially from this campaign via unknown channels.

This spam and malware campaign attacks different devices by redirecting them to different malicious contents. Windows computer users, for instance, are redirected to exploit links, iPhone users are redirected to pornographic ads and Mac users are served with dating-sites’ads.

ESET further added that their researchers are getting in touch with system administrators – to ensure that they check their servers to see if they have been infected. If yes, they are advised to clean their servers and reinstalling OS and softwares. New passwords and secret pins/keys are strongly advisable to be used. Security measures like two-factor authentication can be used to strengthen security in the aftereffects of the attack.Though it is a complicated process to start from scratch but this can have far reaching impact on their website visitors.

ESET has provided a list of ‘Indicators of Compromise’in their report. Large hosting providers and system administrators can use that list to identify malware attack. In a section of the white paper, ESET has also suggested measures of cleaning affected servers.

Leave a Reply

Your email address will not be published. Required fields are marked *