10,000 Linux servers hit by malware serving tsunami of spam and exploits

Researchers have documented an ongoing criminal operation infecting more than 10,000 Unix and Linux servers with malware that sends spam and redirects end users to malicious Web pages.

Windigo, as the attack campaign has been dubbed, has been active since 2011 and has compromised systems belonging to the Linux Foundation's kernel.org and the developers of the cPanel Web hosting control panel, according to a detailed report published Tuesday by researchers from antivirus provider Eset. During its 36-month run, Windigo has compromised more than 25,000 servers with robust malware that sends more than 35 million spam messages a day and exposes Windows-based Web visitors to drive-by malware attacks. It also feeds people running any type of computer banner ads for porn services.

The Eset researchers, who have been instrumental in uncovering similar campaigns compromising large numbers of servers running the nginx, Lighttpd, and Apache Web servers, said the latest campaign has the potential to inflict significant harm on the Internet at large. They explained:

The number of systems affected by Operation Windigo might seem small when compared with recent malware outbreaks where millions of desktops are infected. It is important to keep in mind that, in this case, each infected system is a server. These usually offer services to numerous users and are equipped with far more resources in terms of bandwidth, storage and computation power than normal personal computers. A denial of service attack or a spam-sending operation using one thousand servers is going to be far more effective than the same operation performed with the same number of desktop computers.

Remember the kernel.org hack?

Tuesday's report is also notable because it may provide important new details about the 2011 compromise that gained unfettered access to servers belonging to kernel.org, the group that maintains and distributes the Linux operating system kernel. Leaders of the Linux Foundation reneged on a promise to provide a full autopsy of the attack, leaving the motives of the attackers a mystery.

Until now, publicly known details of the attack were largely limited to its use of a self-injecting rootkit—Phalanx or Phalanx2—to infect kernel.org servers known as Hera and Odin1, as well as personal computers belonging to senior Linux developer H. Peter Anvin. The malware had access to potentially sensitive information stored on the infected machines. A follow-up advisory a few weeks later opened the possibility that still other developers may have fallen prey to the attackers.

According to Eset, kernel.org servers were probably infected by a second piece of malware dubbed Linux/Ebury, an OpenSSH backdoor used to keep control of the servers and steal credentials. Ebury runs mostly on Linux servers and provides a root backdoor shell access to infected servers, giving it the ability to steal SSH credentials.

"The timeline is interesting as well," Eset researchers wrote in the report. "While Phalanx2 had been used in many compromises before, it has not, to our knowledge, been seen in the wild after the Linux Foundation compromise. Interestingly, this was the first known case involving Linux/Ebury."

In addition to Linux/Ebury, one of the other main malware components comprising Windigo includes Linux/Cdorked, an HTTP backdoor used to redirect website visitors to malicious software exploits and fraudulent content. A third component, known as Perl/Calfbot, is a Perl script that causes infected machines to send spam. Curiously, the Eset report makes no reference to Darkleech, an exploitation toolkit that last year infected an estimated 20,000 websites running Apache.

The Windigo campaign doesn't rely on technical vulnerabilities to take hold of servers, Eset said. Instead, it uses stolen credentials. That finding led the researchers to conclude password authentication to access servers is inadequate. Instead, people should rely on two-factor authentication. People who want to know if the servers they operate are affected in the Windigo campaign can run the following command:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

Eset strongly recommends that operating systems of infected machines be completely reinstalled. They also advise all credentials stored on the infected machines or used to log into them be considered compromised. Given the difficulty many server administrators have reported fully eradicating Cdorked, Darkleech, and other malware attacking production servers, the advice makes sense.

Listing image by torkildr.

Listing image by torkildr