25000 Co-opted Linux Servers Drop Malware, Spread Spam and Steal Credentials

Recently a new report has been released by the security company ESET, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This research report was a joint effort by ESET, CERT-Bund, SNIC and CERN.

Over past some years, ESET has recorded around 25,000 malware-infectedservers, which have been significant in various functions like:

• Spam Operations (averaging 35 million spam messages each and every day )
• Infecting site visitor’s computer via drive-by exploits.
• Redirecting the visitors to malicious websites.

The report says about two well-known organisations becoming the victims of Windigo. This ongoing operation was started in 2011, and has affected some high profile servers and companies like cPanel and Linux Foundation’s Kernel.org.

Easier with Single Factor Logins: 

There was a common thread that the Linux servers consisted of, and all were infected with Linux/Ebury. The Linux/Ebury is a malware that provides a root backdoor shell along with an ability to steal SSH credentials. The report also mentioned that there are no vulnerabilities on the Linux servers, which could be exploited, but only stolen credentials were leveraged. Thus in a sense helps explain the compromise made, as Linux servers are, for the most part, bulletproof.

Getting access to the credentials etc: 

The question arose in the minds of the Linux users was that, how the attackers got access the credentials, login and ultimately installing the malware.

A helping hand is offered by Pierre Marc Bureau,a security intelligence bureau named after the program manager of ESET Pierre Marc. They provided the Linux users with the answers that says that it takes to compromise one server in a network, whichmakes it easier there forth. Once the root is obtained by the attackers, they install Linux/Ebury on the compromised server and start to harvest the SSH-login credentials. Along with the additional login credentials, the attackers explore to see what the other servers can be compromised in that particular network.

Additional Malware: 

As mentioned above in this article, the infected servers are part of spam campaigns, they redirect the visitors to the malicious websites, or in case of vulnerable computers, it downloads malwares to the victim’s computer. In order to successfully accomplish this, the attackers install some additional malwares on the servers consisting of:

• Linux/Cdorked: it provides a backdoor shell and are able to distribute Windows malware to end users via drive-by downloads.
• Linux/Onimiki: it resolves the domain names with a particular pattern to any IP address, without any need to change further any server-side configuration.
• Perl/Calfbot: it is a lightweight spam bot written in Perl.

Victims: 

The Windigo Report further adds that there are two types of victims, the Linux/Unix server operators and End-users who receive spam and or visit a website on a compromised server. In that respect, ESET has confirmed that the compromised servers try to download the following Windows Malware:

• Win32/Boaxxe.G: A click fraud malware.
• Win32/Glubtela.M: A general proxy that targets Windows computers.