A Large-scale Windigo Attack Hits 25,000 Linux & Unix Servers

Posted: March 21, 2014 in IT Security News
Tags: , , , ,

ESET LogoESET Company has recently published a 69 page report containing the detailed analysis of an ongoing large-scale attack on servers running on Linux, FreeBSD and other Unix-like systems since 2011.

During the attack (the codename ‘Operation Windigo’) a group of cyber criminals has obtained control of more than 25,000 of servers in three years, 10,000 of which were brought down by tones of malware.

The massive invasion, carried out with the use of intercepted or picked server passwords, was followed by an external installation of Trojans. In particular, SSH was replaced by a malicious modification designed to retrieve passwords when accessing other servers and send them to the attackers; kernel modules were installed, the executable http-serverApache files were modified, lighttpd or nginx were also installed for insertions of harmful code in to organize raids on client systems, and finally spamming have been installed. DNS- servers are reported to be affected by the module for resolving results replacement for specific domains without changing the server configuration.


Therefore, for example, the amount of spam sent from the affected server used to reach 35 million messages at peak levels. Windows users are redirected to the page with the exploit kit implanted, OS X users collide with forcible advertising and iOS are redirected to pornographic resources. Backdoor for SSH was supplied for Linux and FreeBSD only, http servers attacks components were used for Linux, while spam module was written in Perl and works on any Unix-like system. According to the report, not only x86 architecture-based systems were penetrated, ARM architecture-based systems have also been subjected to malicious actions. The fact should be underlined that the attackers made no attempts to exploit vulnerabilities on servers – the intercepted authentication parameters used were used for penetration exclusively.

Windigo Attack

It is also reported that the high-profile cPanel, kernel.org and Linux Foundation servers hacking has been committed as a part of large-scale Windigo attack. To check whether your system hosts an SSH Trojan run ‘ssh-G’: if you receive a notification about the unavailability or incorrect value, the system is safe and sound. However, if you discover the facto of SSH substitution, it is recommended to reinstall the operating system and applications on the server from scratch as soon as possible, in this case you should better change all the passwords and access keys as well.

Infection Scenarios


We Live Security – ‘Operation Windigo’
The ‘Operation Windigo’ report

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s