Antivirus Firm ESET has been tracking and investigating the operation behind Linux_Ebury uncovering a sophisticated campaign called Operation Windigo.
Operation Windigo is the name of a sophisticated malware-based campaign uncovered by security Experts at ESET, that exploiting the Linux/Ebury backdoor has impacted more 500,000 computers and 25,000 dedicated servers.
ESET Researchers collaborated with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and many other agencies to counteract the malicious campaign that affected numerous countries including US, Germany, France, Italy, Great Britain, Netherlands, Russian Federation, Ukraine, Mexico and Canada.
At the end of 2013 security experts detected thousands of infected Linux systems all around the around. The victims’ systems were infected by an OpenSSH backdoor trojan and credential stealer named Linux/Ebury, the malware allows hackers to take control of the affected victims’ PC.
Researchers at ESET antivirus firm have conducted a deep investigation on the Linux/Ebury backdoor, discovering the large-scale campaign dubbed Operation Windigo has been ongoing since at least 2011.
“We discovered an infrastructure used for malicious activities that is all hosted on compromised servers. We were also able to find a link between different malware components such as Linux/Cdorked, Perl/Calfbot and Win32/Glupteba.M and realized they are all operated by the same group.”
The compromised infrastructures were used to steal SSH credentials, hijack Internet user to malicious websites and send spam.
The attackers behind the Operation Windigo don’t exploit zero-day against Linux or Unix systems, they exploit known weaknesses to build and maintain their botnet.
The Operation Windigo hit popular entities, like the Linux Foundation and cPanel, the hackers compromised a wide range of operating systems, including Apple OS X, FreeBSD, OpenBSD, Microsoft Windows (through Cygwin) and Linux, including Linux on the ARM architecture.
“Malicious modules used in Operation Windigo are designed to be portable. The spam-sending module has been seen running on all kinds of operatingsystems while the SSH backdoor has been witnessed both on Linux and FreeBSD servers.” states ESET report.
ESET experts revealed that the quality of the malicious code used is high, the attackers demonstrated a deep knowledge of of Linux platforms, the HTTP backdoor can infect Apache’s httpd, Nginx and lighttpd
web servers. The attackers adopted various techniques depending on the level of access they have on the targeted environment.
“No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged. We conclude that password-authentication on servers should be a thing of the past” “According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today.“ ESET reported, “using the Linux/Ebury OpenSSH backdoor“
It has been estimated that the cyber criminals responsible for the Operation Windigo compromised an impressive number of machines using them for malicious activities, for example sending more than 35,000,000 spam messages per day.
“If victim will use a Smartphone to surf the malicious link from Spam mails, they will be redirected to Porn sites, with the intention of making money.”
The report also provides the instructions to easily discover if systems have been infected, administrators can use run the following unix/linux command:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
It strongly suggested to the victims of Operation Windingo to re-install the system or re-set all passwords and private OpenSSH keys.