25,000 co-opted Linux servers spread spam, drop malware and steal credentials


Image: iStock


Security company ESET has released a new report, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This report was a joint research effort by ESET, CERT-Bund, SNIC and CERN. The key phrase in the report title is “server-side.”

Over the past two years, ESET has chronicled 25,000 malware-infected servers that have been instrumental in:

  • Spam operations (averaging 35 million spam messages per day)
  • Infecting site visitors’ computers via drive-by exploits
  • Redirecting visitors to malicious website

The report talks about two well-known organizations that became victims of Windigo: “This operation has been ongoing since 2011 and has affected high-profile servers and companies, including cPanel and Linux Foundation’s kernel.org.”

Single-factor logins make it easy

The Linux servers had a common thread — all were infected with Linux/Ebury, malware known to provide a root backdoor shell along with the ability to steal SSH credentials. The report also said, “No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.”

In a sense that helps explain the compromise, as Linux servers are for the most part bulletproof. 

Windigo 1.png

Windigo 1.png

Pierre-Marc Bureau

Image: ESET

 So, how did attackers get root-access credentials, login, and ultimately install the malware?

For those answers, I enlisted the help of Pierre-Marc Bureau, security intelligence program manager for ESET. Bureau said all it takes is to compromise one server in a network, then it becomes easy. Once root is obtained, attackers install Linux/Ebury on the compromised server, and start harvesting SSH-login credentials.

With the additional login credentials, attackers explore to see what other servers can be compromised in that particular network.

This slide depicts the infection process:


Windigo 2.png

Windigo 2.png

Infection process

Image: ESET


Additional malware

As mentioned earlier, the infected servers are part of spam campaigns, redirect visitors to malicious websites, or download malware to the victim’s computer if it is vulnerable. In order to accomplish this, the attackers install additional malware on the servers, consisting of:

The victims

The report mentions there are two types of victims, the Linux/Unix server operators, and end-users who receive spam and or visit a website hosted by a compromised server. In that regard, ESET has determined that compromised servers try to download the following Windows malware:

Snort and Yara rules

ESET has worked up Snort and Yara rules that can be found at GitHub.

Leave a Reply