Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Linux Takeover Artists Fling 35M Spam Messages Daily

"Operation Windigo" server takeover campaign controls 10,000 hacked servers, launches millions of spam, malware, and drive-by exploit kit attacks per day.

Beware a long-running Linux server compromise campaign that's being used to fling 35 million spam messages each day. The gang behind the attacks also controls a network of 700 compromised Web servers that's regularly used to steal secure shell (SSH) credentials and redirect 500,000 people per day to sites that host malicious content.

That warning was sounded Tuesday by security firm ESET, which has released an in-depth study of the so-called "Operation Windigo" attack campaign. "According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today," said Pierre-Marc Bureau, security intelligence program manager for ESET, in a blog post. "This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power, and memory. Well-known organizations such as cPanel and kernel.org were on the list of victims, although they have now cleaned their systems."

The gang behind Operation Windigo has relied on three homebuilt tools to handle the main parts of the malicious operation. Those tools include Ebury, which is a Linux-compatible OpenSSH backdoor that can be used to remotely steal credentials as well as control servers. It was installed on more than 25,000 servers that have been compromised and is still active on 10,000 servers. Attackers also built Cdorked, an HTTP backdoor, which runs on Apache's httpd, as well as the Nginx and lighttpd web servers, to redirect a server's web traffic. It often works in conjunction with a modified DNS server called Onimiki and currently infects about 700 servers. Finally, they've created a Perl script called Calfbot, designed to send spam, which has infected systems running FreeBSD, Linux, Mac OS X, OpenBSD, and even Windows -- with Perl running via the Unix-like environment and command-line interface known as Cygwin.

All of that malware was designed with one over-arching purpose. "The goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads," according to a blog post from Symantec.

[Breaches create outliers. Can you spot them? See 7 Behaviors That Could Indicate A Security Breach.]

Furthermore, a teardown of the Windigo malware reveals that the attackers are both technically astute and expert at hiding their tracks. "The complexity of the backdoors deployed by the malicious actors shows out-of-the-ordinary knowledge of operating systems and programming," according to the ESET report. In addition, they've also been careful to develop stealthy, malicious code that runs "on a wide range of server operating systems," thus expanding their reach. "They leave as little trace as possible on the hard drive, so it makes forensics a lot harder," said ESET malware researcher Marc-Etienne M. Léveillé, speaking by phone. "For example, to infect OpenSSH, they will not modify OpenSSH itself; they will modify a shared library used by OpenSSH, so it makes it very hard [for admins] to tell that they're compromised."

Together with its report, ESET this week also released signs -- or indicators of compromise -- for detecting that malware, in the form of a Yara file for malware researchers, as well as rules for the open source intrusion detection and prevention (IDS/IPS) system Snort.

Worldwide distribution of hosts infected by Linux/Ebury, one of the three Operation Windigo tools. (Credit: ESET research.)
Worldwide distribution of hosts infected by Linux/Ebury, one of the three Operation Windigo tools. (Credit: ESET research.)

Even if discovered, however, the malware can be difficult to eradicate. "Over the last few years, our team has been handling and fixing compromised servers and we can attest to how complex the clean-up for this infection can be," said Daniel Cid, CTO at Sucuri, in a blog post. "We've seen that the servers we've fixed have been misused for distribution of malware, spam, and -- in some cases -- to steal credit cards on compromised Web servers used for e-commerce."

Just what happens after the Windigo malware successfully infects a server? In September 2013, ESET researchers successfully captured network traffic for a Cdorked-infected server that was acting as a reverse proxy, and found that over a two-day period, 1.1 million IP addresses were routed through the server to a malicious website hosting an exploit kit. According to ESET, 1% of all of those IP addresses were successfully infected, meaning that in just 48 hours the attackers successfully brought 100,000 compromised systems under their control.

The compromised systems were handled differently, based on their location. For example, systems based in Australia, Canada, the United Kingdom, and the United States received Windows click-fraud malware Boaxxe.G, while others received a dropper called Leechole, which then installed a spam proxy called Glupteba.M.

At the time, the exploit kit being used by attackers was Blackhole. But the Windigo gang changed its strategy in October 2013 -- after the arrest of the alleged Blackhole mastermind known as "Paunch" -- and adopted the Neutrino exploit kit instead.

As the ESET report makes clear, any legitimate server that an attacker can compromise may then pose an information security risk to Internet users at large. But server compromises can lead to much more than malware and click-fraud attacks. For example, the Operation Ababil attackers installed freely available exploit toolkits -- including the Brobot distributed denial-of-service (DDoS) Trojan horse -- on PHP websites sporting known weaknesses, then used the servers to launch large-scale DDoS attacks that disrupted US banking websites.

Cybercriminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41439
PUBLISHED: 2022-09-30
Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /phpinventory/edituser.php.
CVE-2022-41440
PUBLISHED: 2022-09-30
Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /phpinventory/editcategory.php.
CVE-2022-23726
PUBLISHED: 2022-09-30
PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information.
CVE-2022-41437
PUBLISHED: 2022-09-30
Billing System Project v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/createProduct.php.
CVE-2022-3371
PUBLISHED: 2022-09-30
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3.