Latest: Digital For Tech News Click Here


Wednesday, 26 March 2014

Operation Windigo: Linux malware campaign that infected 500,000 Computers Worldwide

0 comments
place Google AdSense code here
Operation Windigo: Linux malware campaign that infected 500,000 Computers WorldwideIn late 2013, Security Researchers identified thousands of Linux systems around the world infected with the OpenSSH backdoor trojan and credential stealer named Linux/Ebury, that allows unauthorized access of an affected computer to the remote attackers.Antivirus Firm ESET's Reseacher team has been tracking and investigating the operation behind Linux/Ebury and today team uncovers the details [Report PDF] of a massive, sophisticated and organized malware campaign called 'Operation Windigo', infected more than 500,000 computers and 25,000 dedicated servers.
'We discovered an infrastructure used for malicious activities that is all hosted on compromised servers. We were also able to find a link between different malware components such as Linux/Cdorked, Perl/Calfbot and Win32/Glupteba.M and realized they are all operated by the same group.' ESET reported.Malware used in Operation Windigo:Linux/Ebury – an OpenSSH backdoor used to keep control of the servers and steal credentials.Linux/Cdorked – an HTTP backdoor used to redirect web traffic. We also detail the infrastructure deployed to redirect traffic, including a modified DNS server used to resolve arbitrary IP addresses labeled as Linux/Onimiki.Perl/Calfbot – a Perl script used to send spam.The Group behind the attacks may have been active since December 2012, using a modified version of OpenSSH, an open source alternative to proprietary Secure Shell Software (SSH) to infect thousands of servers and desktop computers, apparently, stole user credentials on system and SSH private keys for outgoing SSH connections.
"According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today." ESET reported, "using the Linux/Ebury OpenSSH backdoor"
Hackers have accessed a wider range of compromised machines, used them to redirect half of a million web visitors to malicious websites and abusing the server bandwidth to send more than 35,000,000 spam messages per day. If victim will use a Smartphone to surf the malicious link from Spam mails, they will be redirected to Porn sites, with the intention of making money.
High-profile Targets: Report listed some affected high profile servers and companies, including cPanel (famous web hosting control panel) and Linux Foundation’s kernel.org (main repository of source code for the Linux kernel).
Operation Windigo: Linux malware campaign that infected 500,000 Computers WorldwideESET Researchers collaborated with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies to fight against this malware campaign.Affected Operating systems include Linux, FreeBSD, OpenBSD, OS X, and even Windows (with Perl running under Cygwin) and affected countries are US, Germany, France, Italy, Great Britain, Netherlands, Russian Federation, Ukraine, Mexico and Canada.
How to Check, if you have been compromised? If you use only 'ssh -G' command, a clean server will print: 'ssh: illegal option -- G', but an infected server will only print the usage.

Administrators can use the following UNIX/Linux command to check:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
If your system or server was also compromised in the same campaign, it's recommended to re-install the system or re-set all passwords and private OpenSSH keys.Follow me on Google+, Twitter or Facebook or Contact via Email.

View the original article here

0 comments: Post Yours! Read Comment Policy ▼
PLEASE NOTE:
We have Zero Tolerance to Spam. Chessy Comments and Comments with Links will be deleted immediately upon our review.

Post a Comment

 
Copyright © 2013 MyBloggerBlog Template All Right Reserved
Designed by MyBloggerBlog | Powered by Blogger