Attacks/Breaches
3/19/2014
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Linux Takeover Artists Fling 35M Spam Messages Daily

"Operation Windigo" server takeover campaign controls 10,000 hacked servers, launches millions of spam, malware, and drive-by exploit kit attacks per day.

Beware a long-running Linux server compromise campaign that's being used to fling 35 million spam messages each day. The gang behind the attacks also controls a network of 700 compromised Web servers that's regularly used to steal secure shell (SSH) credentials and redirect 500,000 people per day to sites that host malicious content.

That warning was sounded Tuesday by security firm ESET, which has released an in-depth study of the so-called "Operation Windigo" attack campaign. "According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today," said Pierre-Marc Bureau, security intelligence program manager for ESET, in a blog post. "This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power, and memory. Well-known organizations such as cPanel and kernel.org were on the list of victims, although they have now cleaned their systems."

The gang behind Operation Windigo has relied on three homebuilt tools to handle the main parts of the malicious operation. Those tools include Ebury, which is a Linux-compatible OpenSSH backdoor that can be used to remotely steal credentials as well as control servers. It was installed on more than 25,000 servers that have been compromised and is still active on 10,000 servers. Attackers also built Cdorked, an HTTP backdoor, which runs on Apache's httpd, as well as the Nginx and lighttpd web servers, to redirect a server's web traffic. It often works in conjunction with a modified DNS server called Onimiki and currently infects about 700 servers. Finally, they've created a Perl script called Calfbot, designed to send spam, which has infected systems running FreeBSD, Linux, Mac OS X, OpenBSD, and even Windows -- with Perl running via the Unix-like environment and command-line interface known as Cygwin.

All of that malware was designed with one over-arching purpose. "The goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads," according to a blog post from Symantec.

[Breaches create outliers. Can you spot them? See 7 Behaviors That Could Indicate A Security Breach.]

Furthermore, a teardown of the Windigo malware reveals that the attackers are both technically astute and expert at hiding their tracks. "The complexity of the backdoors deployed by the malicious actors shows out-of-the-ordinary knowledge of operating systems and programming," according to the ESET report. In addition, they've also been careful to develop stealthy, malicious code that runs "on a wide range of server operating systems," thus expanding their reach. "They leave as little trace as possible on the hard drive, so it makes forensics a lot harder," said ESET malware researcher Marc-Etienne M. Léveillé, speaking by phone. "For example, to infect OpenSSH, they will not modify OpenSSH itself; they will modify a shared library used by OpenSSH, so it makes it very hard [for admins] to tell that they're compromised."

Together with its report, ESET this week also released signs -- or indicators of compromise -- for detecting that malware, in the form of a Yara file for malware researchers, as well as rules for the open source intrusion detection and prevention (IDS/IPS) system Snort.

Worldwide distribution of hosts infected by Linux/Ebury, one of the three Operation Windigo tools. (Credit: ESET research.)
Worldwide distribution of hosts infected by Linux/Ebury, one of the three Operation Windigo tools. (Credit: ESET research.)

Even if discovered, however, the malware can be difficult to eradicate. "Over the last few years, our team has been handling and fixing compromised servers and we can attest to how complex the clean-up for this infection can be," said Daniel Cid, CTO at Sucuri, in a blog post. "We've seen that the servers we've fixed have been misused for distribution of malware, spam, and -- in some cases -- to steal credit cards on compromised Web servers used for e-commerce."

Just what happens after the Windigo malware successfully infects a server? In September 2013, ESET researchers successfully captured network traffic for a Cdorked-infected server that was acting as a reverse proxy, and found that over a two-day period, 1.1 million IP addresses were routed through the server to a malicious website hosting an exploit kit. According to ESET, 1% of all of those IP addresses were successfully infected, meaning that in just 48 hours the attackers successfully brought 100,000 compromised systems under their control.

The compromised systems were handled differently, based on their location. For example, systems based in Australia, Canada, the United Kingdom, and the United States received Windows click-fraud malware Boaxxe.G, while others received a dropper called Leechole, which then installed a spam proxy called Glupteba.M.

At the time, the exploit kit being used by attackers was Blackhole. But the Windigo gang changed its strategy in October 2013 -- after the arrest of the alleged Blackhole mastermind known as "Paunch" -- and adopted the Neutrino exploit kit instead.

As the ESET report makes clear, any legitimate server that an attacker can compromise may then pose an information security risk to Internet users at large. But server compromises can lead to much more than malware and click-fraud attacks. For example, the Operation Ababil attackers installed freely available exploit toolkits -- including the Brobot distributed denial-of-service (DDoS) Trojan horse -- on PHP websites sporting known weaknesses, then used the servers to launch large-scale DDoS attacks that disrupted US banking websites.

Cybercriminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

CVE-2014-3024
Published: 2014-08-29
Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of arbitr...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.