EXECUTIVE SUMMARY:
Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”. Since the campaign began in 2011, more than 25,000 Linux and UNIX servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims.
Targeted operating systems include Apple OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.
The paper lists three main malicious components (ESET detection names):
- Linux/Ebury – an OpenSSH backdoor used to control servers and steal credentials
- Linux/Cdorked – an HTTP backdoor used to redirect Web traffic
- Perl/Calfbot – a Perl script used to send spam
Lengthy campaigns by malicious attackers have become commonplace. With the appropriate resources, motivation, and desire, attackers can obtain significant rewards for their efforts. While some campaigns focus on targeting specific organizations to identify and exfiltrate sensitive information, the goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads.
THREAT DETAILS:
The following is according to ESET:
The attack, which has been dubbed “Operation Windigo” is a complex knot of sophisticated malware components are designed to hijack servers, infect the computers that visit them, and steal information. Victims of “Operation Windigo” have included cPanel and kernel.org.
ESET’s security research team, which uncovered Windigo, today published a detailed technical paper, presenting the findings of the team’s investigations and malware analysis. The paper also provides guidance on how to find out if your systems are affected and instructions for removing the malicious code.
OPERATION WINDIGO: Gathering Strength For Over Three Years
While some experts have spotted elements of the Windigo cybercriminal campaign, the sheer size and complexity of the operation has remained largely unrealised by the security community.
Interestingly, although Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content.
An Appeal To Sysadmins To Take Action Against Windigo
Over 60% of the world’s websites are running on Linux servers, and ESET researchers are calling on webmasters and system administrators to check their systems to see if they have been compromised.
How To Tell If You’re Server Has Fallen Foul Of Windigo
ESET researchers, who named Windigo after a mythical creature from Algonquian Native American folklore because of its cannibalistic nature, are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:
- $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”
Tough Medicine For Windigo Victims
If sysadmins discover their systems are infected, they are advised to wipe affected computers and reinstall the operating system and software. It is essential that fresh passwords and private keys are used, as the existing credentials must be considered compromised.
For a higher level of protection in future, technology such as two-factor authentication should be considered. All computer users are reminded that they should never reuse or choose easy-to-crack passwords.
ESET’s Key Findings:
- The Windigo operation has been ongoing since at least 2011
- More than 25,000 unique servers have been compromised in the last two years
- A wide range of operating system have been compromised by the attackers; Apple OS X, OpenBSD, FreeBSD, Microsoft Windows (through Cygwin) and Linux, including Linux on the ARM architecture
- Malicious modules used in Operation Windigo are designed to be portable. The spam-sending module has been seen running on all kinds of operating systems while the SSH backdoor has been witnessed both on Linux and FreeBSD servers
- Well known organizations including cPanel and Linux Foundation fell victim of this operation
- Windigo is responsible for sending an average of 35 million spam messages on a daily basis
- More than 700 web servers are currently redirecting visitors to malicious content
- Over half a million visitors to legitimate websites hosted on servers compromised by Windigo are being redirected to an exploit kit every day
- The success rate of exploitation of visiting computers is approximately 1%
- The malicious group favours stopping malicious activity over being detected
- The quality of the various malware pieces is high: stealthy, portable, sound cryptography (session keys and nonces) and shows a deep knowledge of the Linux ecosystem
- The HTTP backdoor is portable to Apache’s httpd, Nginx and lighttpd
- The gang maximizes available server resources by running different malware and activities depending on the level of access they have
- No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.
- We conclude that password-authentication on servers should be a thing of the past
AFFECTED SOFTWARE:
- Apple OS X
- OpenBSD
- FreeBSD
- Microsoft Windows (through Cygwin)
- Linux, including Linux on the ARM architecture
SYMANTEC MSS SOC DETECTION CAPABILITIES:
Emergency response measures have been taken in order to provide MSS customers with early warning and potential escalations for successful exploitations related to this threat. Emergency response signatures may generate false positives and will undergo tuning to ensure enhanced accuracy over time; however, given the nature of the threat, it is prudent to be overly cautious about alerting to potentially related activity. Please contact the SOC’s Analysis team if you have any questions or concerns related to this detection or wish to discuss having such signatures disabled or otherwise adjusted to meet your organization’s needs.
For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.
MSS SOC Analytics Detection
- URL Analytics (WSM Signatures)
- [MSS URL Detection] Possible Perl/Calfbot Command and Control Communications
- [MSS URL Detection] Potential Linux/CDorked Outbound Communications Detected
- [MSS URL Detection] Potential Perl/Calfbot Outbound Communications Detected
- HotIP Signatures
- Hot-IP - Potential Perl/Calfbot Outbound Communications
Vendor Detection
- Snort/SourceFire
- Emerging Threats (ET)
- Intrushield
- ISS Network Sensor
- Symantec SEP/AV
- Backdoor.Trojan
- Linux.Cdorked
- Linux.SSHKit
- Linux.SSHKit!gen1
- Trojan.Dropper
- Trojan.Tracur!gen5
- Trojan.Tracur!gen8
- Symantec SEP/IPS
- System Infected: Festi Rootkit Activity
This list represents a snapshot of current detection. Symantec MSS stands ready to provide security monitoring once additional vendors or additional detection is identified and enabled on your monitored devices. As threats evolve, detection for those threats can and will evolve as well.
MITIGATION STRATEGIES:
- Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
- Symantec recommends that all customers follow IT security best practices. These will help mitigate the initial infection vectors used by most malware, as well as prevent or slow the spread of secondary infections.
- Minimum Recommended Best Practices Include:
- Use/Require strong user passwords (8-16+ alphanumeric characters, with at least 1 capital letter, and at least 1 special character)
- Disable default user accounts
- Educate users to void following links to untrusted sites
- Always execute browsing software with least privileges possible
- Turn on Data Execution Prevention (DEP) for systems that support it
- Maintain a regular patch and update cycle for operating systems and installed software
- Deploy network intrusion detection/prevention systems to monitor network traffic for malicious activity.
- For technologies not monitored/managed by MSS, ensure all signatures are up to date, including endpoint technologies.
- Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.
- Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
- To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
- Do not follow links or open email attachments provided by unknown or untrusted sources.
- Ensure staff is educated on Social Engineering and Phishing techniques.
REFERENCES:
- 25,000 Linux and Unix Servers Compromised in Operation Windigo
- Operation Windigo: Malware Used To Attack Over 500,000 Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan
- Operation Windigo: The vivisection of a large Linux server-side credential stealing malware campaign
http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf