Attacks/Breaches
3/19/2014
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Linux Takeover Artists Fling 35M Spam Messages Daily

"Operation Windigo" server takeover campaign controls 10,000 hacked servers, launches millions of spam, malware, and drive-by exploit kit attacks per day.

Beware a long-running Linux server compromise campaign that's being used to fling 35 million spam messages each day. The gang behind the attacks also controls a network of 700 compromised Web servers that's regularly used to steal secure shell (SSH) credentials and redirect 500,000 people per day to sites that host malicious content.

That warning was sounded Tuesday by security firm ESET, which has released an in-depth study of the so-called "Operation Windigo" attack campaign. "According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today," said Pierre-Marc Bureau, security intelligence program manager for ESET, in a blog post. "This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power, and memory. Well-known organizations such as cPanel and kernel.org were on the list of victims, although they have now cleaned their systems."

The gang behind Operation Windigo has relied on three homebuilt tools to handle the main parts of the malicious operation. Those tools include Ebury, which is a Linux-compatible OpenSSH backdoor that can be used to remotely steal credentials as well as control servers. It was installed on more than 25,000 servers that have been compromised and is still active on 10,000 servers. Attackers also built Cdorked, an HTTP backdoor, which runs on Apache's httpd, as well as the Nginx and lighttpd web servers, to redirect a server's web traffic. It often works in conjunction with a modified DNS server called Onimiki and currently infects about 700 servers. Finally, they've created a Perl script called Calfbot, designed to send spam, which has infected systems running FreeBSD, Linux, Mac OS X, OpenBSD, and even Windows -- with Perl running via the Unix-like environment and command-line interface known as Cygwin.

All of that malware was designed with one over-arching purpose. "The goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads," according to a blog post from Symantec.

[Breaches create outliers. Can you spot them? See 7 Behaviors That Could Indicate A Security Breach.]

Furthermore, a teardown of the Windigo malware reveals that the attackers are both technically astute and expert at hiding their tracks. "The complexity of the backdoors deployed by the malicious actors shows out-of-the-ordinary knowledge of operating systems and programming," according to the ESET report. In addition, they've also been careful to develop stealthy, malicious code that runs "on a wide range of server operating systems," thus expanding their reach. "They leave as little trace as possible on the hard drive, so it makes forensics a lot harder," said ESET malware researcher Marc-Etienne M. Léveillé, speaking by phone. "For example, to infect OpenSSH, they will not modify OpenSSH itself; they will modify a shared library used by OpenSSH, so it makes it very hard [for admins] to tell that they're compromised."

Together with its report, ESET this week also released signs -- or indicators of compromise -- for detecting that malware, in the form of a Yara file for malware researchers, as well as rules for the open source intrusion detection and prevention (IDS/IPS) system Snort.

Worldwide distribution of hosts infected by Linux/Ebury, one of the three Operation Windigo tools. (Credit: ESET research.)
Worldwide distribution of hosts infected by Linux/Ebury, one of the three Operation Windigo tools. (Credit: ESET research.)

Even if discovered, however, the malware can be difficult to eradicate. "Over the last few years, our team has been handling and fixing compromised servers and we can attest to how complex the clean-up for this infection can be," said Daniel Cid, CTO at Sucuri, in a blog post. "We've seen that the servers we've fixed have been misused for distribution of malware, spam, and -- in some cases -- to steal credit cards on compromised Web servers used for e-commerce."

Just what happens after the Windigo malware successfully infects a server? In September 2013, ESET researchers successfully captured network traffic for a Cdorked-infected server that was acting as a reverse proxy, and found that over a two-day period, 1.1 million IP addresses were routed through the server to a malicious website hosting an exploit kit. According to ESET, 1% of all of those IP addresses were successfully infected, meaning that in just 48 hours the attackers successfully brought 100,000 compromised systems under their control.

The compromised systems were handled differently, based on their location. For example, systems based in Australia, Canada, the United Kingdom, and the United States received Windows click-fraud malware Boaxxe.G, while others received a dropper called Leechole, which then installed a spam proxy called Glupteba.M.

At the time, the exploit kit being used by attackers was Blackhole. But the Windigo gang changed its strategy in October 2013 -- after the arrest of the alleged Blackhole mastermind known as "Paunch" -- and adopted the Neutrino exploit kit instead.

As the ESET report makes clear, any legitimate server that an attacker can compromise may then pose an information security risk to Internet users at large. But server compromises can lead to much more than malware and click-fraud attacks. For example, the Operation Ababil attackers installed freely available exploit toolkits -- including the Brobot distributed denial-of-service (DDoS) Trojan horse -- on PHP websites sporting known weaknesses, then used the servers to launch large-scale DDoS attacks that disrupted US banking websites.

Cybercriminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio