Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo

If you run a website on a Linux server or are responsible for the security of your company’s Unix servers, there’s something very important you should do right now.

Researchers at ESET, in collaboration with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies, have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers.

And if your system is found to be infected, experts strongly recommend you re-install the operating system, and consider all credentials used to log into the machine as compromised. In short, if you are a victim, all passwords and private OpenSSH keys should be changed.

The attack, which has been given the name “Windigo” after a mythical creature from Algonquian Native American folklore, has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from compromised machines.

Spam sent from Windigo-affected server

That would be bad enough, normally.

But in this case, malicious hackers have also been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware, and display dating website adverts to Mac users.

Even smartphone users don’t escape – finding their iPhones redirected to X-rated content, with the intention of making money for the cybercriminals.

Windigo redirects iPhone users to X-rated websites

ESET’s security research team has published a detailed technical paper into “Operation Windigo”, and says it believes that the cybercrime campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years.

“Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.

In its attempt to hijack servers and infect computers, Windigo uses a complex knot of sophisticated malware components including Linux/Ebury (an OpenSSH backdoor and credential stealer that was the subject of a detailed investigation by ESET researchers earlier this month), Linux/Cdorked, Perl/Calfbot, Linux/Onimiki, Win32/Glubteba.M, and Win32/Boaxxe.G.

During a single weekend, ESET researchers observed more than 1.1 million different IP addresses going through part of Windigo’s infrastructure, before being redirected to servers hosting exploit kits.

An analysis of the visiting computers revealed a wide range of operating systems being used.

Victims by operating system

This in itself threw up some light relief, as researchers discovered that “23 people apparently still browse the Internet on Windows 98, and one person even does it on Windows 95.”

Léveillé and his fellow researchers are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

That single Unix command should quickly tell you if your system is seriously compromised or not by Windigo, and whether you need to take steps to clean-up and better protect your servers in future. Further details on how to tell if your server has been compromised are available included in ESET’s technical white paper on Operation Windigo [PDF].

Learn more now:
Download ESET’s detailed technical paper about “Operation Windigo”

Author Graham Cluley, We Live Security

  • Daz71

    I believe the command given in this article could give false positives?

    • Olivier Bilodeau

      Yes it could. We validated several versions of OpenSSH but there could be really old version we missed or people could be running their shell localized which would mean the strings would be translated and not matched by our grep. We still think this will cover 90%+ of the cases though.

      If you want to be thorough have a look at our indicator of compromise (IOC) section of the report or check our github page where we posted the IOC: https://github.com/eset/malware-ioc/tree/master/windigo#linuxebury

  • Dave Ewart

    Could someone explain how/why that command works? Isn’t -G an invalid option to ssh?

    • Yes, it’s an invalid option in openssh. The point of the command is to capture ssh’s flagging it as an illegal or unknown option even though it’s not written to stderr on an Ebury-compromised system.

    • riking

      Ebury provides a handler for the -G option, and that handler is an easy way to connect to another backdoored system, so it will only be present on compromised systems.

  • Wintermute

    Could someone explain just HOW these compromised versions of OpenSSH could be installed in the first place ?? The web is all buzz about this, but no one is addressing this core issue. Since a vast majority of linux servers are using repositories for installing software packages, the only explanation would be that some repos are compromised too ??

    • Olivier Bilodeau

      The malware steals SSH credentials (and SSH keys) when people are connecting to servers from infected servers. Often it gets root credentials. The operators then log on the server and install the Linux/Ebury OpenSSH backdoor which, in turn, means more stolen credentials and more infections.

      This is how we saw it propagate.

      What we do not know, however, is how server 0 was infected. It could be SSH password bruteforce, it could be exploits or it could be server credentials purchased on the black market (a lot of Windows malware harvest credentials of popular software like puTTY – a Windows SSH client).

      We didn’t have access to that server 0 (we don’t even know which one it is and it could’ve been cleaned by now) so unfortunately we don’t know.

  • MihirJ

    On our servers we have SSH protected by hosts.allow as well as two factor authentication plus strong password. So As a Senior Security Analyst, I am 100% sure we are not compromised via root (rooted). only probability is repos (we have centOS and EPEL).
    All the tests fail except ‘SSH -G’ option. according to forums, cpanel arstechnica etc etc, we are most likely to compromise.

    we did strace for all pids related to SSH and at the time I logged-in via another session to server so that strace can trace system calls for me. after that we just consolidated the strace output bifurcating via system calls.

    the only thing we find is that our server was making a outbound connection to the IP’s inside resolve.conf on port 53 which is normal.

    does it mean it is hacked? their something we are missing about this trojan or we have just created a hoax from the probability.

    • Marc-Etienne M.Léveillé

      Hi MihirJ,

      It could be a false positive or there could be some typos in the command you typed. Please send us an e-mail at windigo _at_ eset.sk with the details about your OpenSSH version, the output of “ssh -G” and “ipcs -m”. We’ll be able to further help you.

Follow us

Copyright © 2018 ESET, All Rights Reserved.