Attacks/Breaches
3/19/2014
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Linux Takeover Artists Fling 35M Spam Messages Daily

"Operation Windigo" server takeover campaign controls 10,000 hacked servers, launches millions of spam, malware, and drive-by exploit kit attacks per day.

Beware a long-running Linux server compromise campaign that's being used to fling 35 million spam messages each day. The gang behind the attacks also controls a network of 700 compromised Web servers that's regularly used to steal secure shell (SSH) credentials and redirect 500,000 people per day to sites that host malicious content.

That warning was sounded Tuesday by security firm ESET, which has released an in-depth study of the so-called "Operation Windigo" attack campaign. "According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today," said Pierre-Marc Bureau, security intelligence program manager for ESET, in a blog post. "This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power, and memory. Well-known organizations such as cPanel and kernel.org were on the list of victims, although they have now cleaned their systems."

The gang behind Operation Windigo has relied on three homebuilt tools to handle the main parts of the malicious operation. Those tools include Ebury, which is a Linux-compatible OpenSSH backdoor that can be used to remotely steal credentials as well as control servers. It was installed on more than 25,000 servers that have been compromised and is still active on 10,000 servers. Attackers also built Cdorked, an HTTP backdoor, which runs on Apache's httpd, as well as the Nginx and lighttpd web servers, to redirect a server's web traffic. It often works in conjunction with a modified DNS server called Onimiki and currently infects about 700 servers. Finally, they've created a Perl script called Calfbot, designed to send spam, which has infected systems running FreeBSD, Linux, Mac OS X, OpenBSD, and even Windows -- with Perl running via the Unix-like environment and command-line interface known as Cygwin.

All of that malware was designed with one over-arching purpose. "The goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads," according to a blog post from Symantec.

[Breaches create outliers. Can you spot them? See 7 Behaviors That Could Indicate A Security Breach.]

Furthermore, a teardown of the Windigo malware reveals that the attackers are both technically astute and expert at hiding their tracks. "The complexity of the backdoors deployed by the malicious actors shows out-of-the-ordinary knowledge of operating systems and programming," according to the ESET report. In addition, they've also been careful to develop stealthy, malicious code that runs "on a wide range of server operating systems," thus expanding their reach. "They leave as little trace as possible on the hard drive, so it makes forensics a lot harder," said ESET malware researcher Marc-Etienne M. Léveillé, speaking by phone. "For example, to infect OpenSSH, they will not modify OpenSSH itself; they will modify a shared library used by OpenSSH, so it makes it very hard [for admins] to tell that they're compromised."

Together with its report, ESET this week also released signs -- or indicators of compromise -- for detecting that malware, in the form of a Yara file for malware researchers, as well as rules for the open source intrusion detection and prevention (IDS/IPS) system Snort.

Worldwide distribution of hosts infected by Linux/Ebury, one of the three Operation Windigo tools. (Credit: ESET research.)
Worldwide distribution of hosts infected by Linux/Ebury, one of the three Operation Windigo tools. (Credit: ESET research.)

Even if discovered, however, the malware can be difficult to eradicate. "Over the last few years, our team has been handling and fixing compromised servers and we can attest to how complex the clean-up for this infection can be," said Daniel Cid, CTO at Sucuri, in a blog post. "We've seen that the servers we've fixed have been misused for distribution of malware, spam, and -- in some cases -- to steal credit cards on compromised Web servers used for e-commerce."

Just what happens after the Windigo malware successfully infects a server? In September 2013, ESET researchers successfully captured network traffic for a Cdorked-infected server that was acting as a reverse proxy, and found that over a two-day period, 1.1 million IP addresses were routed through the server to a malicious website hosting an exploit kit. According to ESET, 1% of all of those IP addresses were successfully infected, meaning that in just 48 hours the attackers successfully brought 100,000 compromised systems under their control.

The compromised systems were handled differently, based on their location. For example, systems based in Australia, Canada, the United Kingdom, and the United States received Windows click-fraud malware Boaxxe.G, while others received a dropper called Leechole, which then installed a spam proxy called Glupteba.M.

At the time, the exploit kit being used by attackers was Blackhole. But the Windigo gang changed its strategy in October 2013 -- after the arrest of the alleged Blackhole mastermind known as "Paunch" -- and adopted the Neutrino exploit kit instead.

As the ESET report makes clear, any legitimate server that an attacker can compromise may then pose an information security risk to Internet users at large. But server compromises can lead to much more than malware and click-fraud attacks. For example, the Operation Ababil attackers installed freely available exploit toolkits -- including the Brobot distributed denial-of-service (DDoS) Trojan horse -- on PHP websites sporting known weaknesses, then used the servers to launch large-scale DDoS attacks that disrupted US banking websites.

Cybercriminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7052
Published: 2014-10-19
The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application 2.4.9.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7056
Published: 2014-10-19
The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7070
Published: 2014-10-19
The Air War Hero (aka com.dev.airwar) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7075
Published: 2014-10-19
The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7079
Published: 2014-10-19
The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.