Technology News

latest updates from easySERVICE™

“Windigo” Op infected 25,000 servers worldwide in the last two years

server protection

By using a backdoor trojan to compromise thousands of Unix and Linux servers, attackers have been able sustain a far reaching spam and malware campaign.

On Tuesday, security firm published a white paper (PDF) detailing “Operation Windigo,” which has infected more than 25,000 servers worldwide in the last two years.

In collaboration with Germany’s CERT-Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN), and other organizations that formed an international working group, ESET figured out Windigo’s complex attack cycle.

According to the 69-page white paper, an OpenSSH backdoor, dubbed Linux/Ebury, that steals administrators’ credentials ultimately gives Windigo attackers the ability to redirect end-users to malicious content or spam their accounts with messages.

Among the servers in 110 countries that have been impacted by Operation Windigo, the majority are in the United States, Germany, France, Italy and the U.K. ESET estimates that there are currently more than 10,000 infected servers worldwide, and that Windigo is responsible for sending around 35 million spam messages a day to end-users.

“The backbone of the operation is the SSH backdoor, that is used to maintain control over the infected servers and also to steal more credentials,” Bureau said. “Once the attacker steals credentials, he can use it for various purposes, such as to send spam by using a script [or] they can install another [malware] component to redirect visitors to advertisements for click fraud, or to [exploit] pages.”

End-users on mobile devices have also fallen victim to the redirect scams, Bureau explained, as the campaign serves different content to users depending on what kind of device they are on. iPhone users, for instance, are redirected to x-rated advertisements, while Windows PC users are redirected to exploit pages, and Mac users, dating site adverts.

“It is a very complex operation. The message we are trying to send out is to system administrators – to make sure they clean their servers and understand how this can have an impact on their web visitors,” Bureau added.

Source: Associated Press

One comment on ““Windigo” Op infected 25,000 servers worldwide in the last two years

  1. StellarPhoenixS
    December 18, 2014

    Reblogged this on Stellar Phoenix Solutions.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


This entry was posted on March 19, 2014 by in Data Storage, Hardware, Linux, Malware, Security, Server and tagged , , , .
%d bloggers like this: