Hunting the beast

For readers familiar with mythology, the word Windigo might conjure up a vision of a fictional flesh-eating beast. In the world of cybersecurity, however, the term refers to a ‘server consuming’ malware-campaign uncovered by experts at ESET back in 2012, its name chosen due to the campaign’s ability to gobble up servers and wreak havoc on victims. We take a look back at this campaign.

First sighting

First detected in 2011 by the Linux Foundation, the malware campaign that later became known as Windigo was able to infiltrate around 25,000 servers over a two-year period (2012-2014), with the malicious gang behind it demonstrating a high level of technical expertise.

After receiving the first Linux/Cdorked sample from security firm Sucuri in March 2013, ESET launched Operation Windigo with the aim of analyzing the methods used by attackers, the extent of infection and the damage caused.

This resulted in a detailed report on the malware campaign and its impact in 2014. The comprehensive paper aimed to raise awareness of the operation through in-depth analysis, as well as details on how to detect infected hosts.

It was well received by the public and the infosec community. Even the team behind the malware recognized the authority of the study, remarking at the time: “Good job, ESET!”

A clever enemy

The malicious team behind Windigo are not amateurs. For example, the operation – which exploits backdoors – uses a modified version of OpenSSH, an “open source alternative to proprietary Secure Shell Software (SSH)”.

As well as infiltrating servers, the gang are also able to identify ordinary users from administrators, selecting victims based on their admin activity.

In addition, the authors of the malware have showed considerable expertise in their efforts to evade detection with tactics including the upgrade of infected servers with new software to throw investigators off course, and creating a new version of their DNS backdoor software in June 2013 in response to the creation of detection tools released just months earlier in April 2013.

Discovering clues

As noted above, the investigation carried out by ESET revealed that Operation Windigo had, as originally identified by the Linux Foundation, been in place since at least 2011, with more than 25,000 unique servers compromised between 2012-2014, in countries including France, Italy, Russian Federation, Mexico and Canada.

Infected servers were used by the attackers to mount extensive spam campaigns, steal credentials, redirect web traffic to advertisement networks and infect web users’ computers through ‘drive-by’ downloads.

The investigative team were also able to identify a link between “different malicious components such as Linux/Cdorked, Perl/Calfbot and Win32/Glupteba.M,” concluding that they are “all operated by the same group”.

Small but mighty

When compared to other malware campaigns, Windigo may seem somewhat small-scale, with ESET’s report confirming that the group were “currently in control of more than ten thousand” servers in 2014.

However, it is important to remember that by infecting servers which are “equipped with far more resources in terms of bandwidth, storage and computation power,” the malware has a greater reach than if it was simply to infect personal computers.

Indeed, according to ESET, the group are “able to send more than 35,000,000 spam messages per day” using this infrastructure.

In addition, the malware was – and is – able to infiltrate many different operating systems, including Apple OS X, OpenBSD, FreeBSD, Microsoft Windows (through Cygwin) and Linux. The malware was also discovered to have infected large organizations, including cPanel and Linux Foundation.

Stealth methods

The gang behind the operation also avoid detection by ceasing activity when they feel they are at risk of being discovered.

It was also noted by ESET that the authors of the malware tend to focus on smaller websites, particularly porn sites, rather than more mainstream servers, due to their wide reach and lower security threshold. They also maximize server resources by running different activities in accordance with the level of access gained.

In this way, the gang are able to wreak havoc with their malware, while staying one step ahead of information security experts and the authorities.

Joining forces

As a way to investigate and combat the attackers, ESET joined forces with several international organizations during their operation, including CERT-Bund, the Swedish National Infrastructure for Computing, and the European Organisation for Nuclear Research (CERN) to form a Working Group. Through this collaboration, the group members were able to notify those infected and assist with a clean-up.

The beast lives on

Like many malware threats, identification of the problem is not a solution in itself, and, with malware used by Operation Windigo evolving, it is imperative that administrators do all they can to avoid infiltration.

Since publishing the report in 2014, ESET has continued in its quest to combat and protect against Linux/Windigo malware, as well as other cybersecurity threats such as Linux/Ebury.