Researchers from ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing, as well as other agencies, have dubbed the offensive “Operation Windigo,” after a mythical creature from Algonquian Native American folklore with a cannibalistic nature.
Using a sophisticated combination of malware components, Operation Windigo is a widespread cybercriminal campaign that hijacks servers, infects the devices that visit them and steals users’ information. Interestingly, although Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served advertisements for dating sites, and iPhone owners are redirected to pornographic online content.
Worryingly, more than 60% of all websites run on Linux servers, meaning the risk of further infection is severe. Notable victims so far include cPanel and kernel.org.
"The Ebury backdoor deployed by the Windigo cybercrime operation does not exploit a vulnerability in Linux or OpenSSH," said ESET security researcher Marc-Étienne Léveillé, in an analysis. "Instead it is manually installed by a malicious attacker. The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two-factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment."
Perhaps even more worryingly, it’s managed to evade scrutiny from the security community for years.
"Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control," continued Léveillé. "Over 35 million spam messages are being sent every day to innocent users' accounts, clogging up in-boxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements."
Unix system administrators and webmasters can run a command that will tell them if their server is compromised or not:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
"Webmasters and IT staff already have a lot of headaches and things on their mind, so we hate to add to their workload – but this is important,” said Léveillé. “Everyone wants to be a good net citizen, and this is your chance to play your part and help protect other internet users. The last thing anyone should want is to be part of the problem, adding to the spread of malware and spam. A few minutes can make the difference, and ensure you are part of the solution."
If system administrators discover their systems are infected, they are advised to wipe affected computers and reinstall the operating system and software. It is essential that fresh passwords and private keys are used, as the existing credentials must be considered compromised.
"We realize that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks," explained Léveillé. "Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems – potentially putting more internet users in the firing line."