Windigo Hijacks 25,000 Servers to Spew Out Spam, Malware

Attackers infected and seized control of over 25,000 Unix servers to create a massive spam and malware distribution platform, ESET said. Linux and Unix administrators need to immediately check if their servers are among the victims.
The gang behind the attack campaign uses the infected servers to steal credentials, distribute spam and malware, and redirect users to malicious sites. The infected servers send 35 million spam messages each day, and redirect half a million Web visitors to malicious sites daily, said Pierre-Marc Bureau, a security intelligence program manager at ESET. The researchers believe the campaign, dubbed Operation Windigo, has hijacked over 25,000 servers in the past two-and-a-half years. The group currently has 10,000 servers under their control, Bureau said.
ESET released a technical paper with more details about the campaign, and included a simple ssh command which administrators can use to figure out if their servers have been hijacked. If that happens to be the case, administrators should re-install the operating system on the infected server and change all credentials ever used to log into the machine. Since Windigo harvested credentials, administrators should assume all passwords and private OpenSSH keys used on that machine are compromised and should be changed, ESET warned. The recommendations apply to both Unix and Linux administrators.
Wiping the machine and re-installing the operating system from scratch may sound a little extreme, but considering that the attackers had stolen administrator credentials, installed backdoors, and had gained remote access to the servers, taking the nuclear option seems necessary.
Attack ElementsWindigo relies on a cocktail of sophisticated malware to hijack and infect the servers, including Linux/Ebury, an OpenSSH backdoor and credential stealer, as well as five other pieces of malware. Over the course of a single weekend, ESET researchers observed more than 1.1 million different IP addresses passing through Windigo's infrastructure before being redirected to malicious sites.
Websites compromised by Windigo in turn infected Windows users with an exploit kit pushing click fraud and spam-sending malware, showed questionable advertisements for dating sites to Mac users, and redirected iPhone users to online porn sites. Well-known organizations such as cPanel and kernel.org were among the victims, although they have cleaned their systems, Bureau said.
Operating systems affected by the spam component include Linux, FreeBSD, OpenBSD, OS X, and even Windows, Bureau said.
Rogue ServersConsidering that three in five of the world's websites are running on Linux servers, Windigo has plenty of potential victims to play with. The backdoor used to compromise the servers was installed manually and exploits poor configuration and security controls, not software vulnerabilities in the operating system, ESET said.
"This number [10,000 servers] is significant if you consider each of these systems has access to significant bandwidth, storage, computing power and memory," said Bureau.
A handful of malware-infected servers can cause a lot more harm than a large botnet of regular computers. Servers generally have better hardware and processing power, and have faster network connections than end-user computers. Recall that the powerful distributed denial of service attacks against various banking websites last year originated from infected Web servers in data centers. If the team behind Windigo ever switches tactics from just using the infrastructure to spread spam and malware to something even nastier, the resulting damage could be significant.