Firms urged to take tough action on Unix-based cyber attack

Security researchers have urged businesses to take action on a cyber criminal campaign that has seized control of 25,000+ Unix servers worldwide

Security researchers have uncovered a widespread cyber criminal campaign that has seized control of more than 25,000 Unix servers worldwide.

The attack, dubbed Operation Windigo, has resulted in infected servers sending out millions of spam emails.

The campaign was uncovered by researchers from security firm Eset, in collaboration with Germany’s federal agency computer emergency response team, the Swedish National Infrastructure for Computing and other agencies.

Operation Windigo is described as a “complex knot of sophisticated malware components” that are designed to hijack servers, infect the computers that visit them, and steal information.

"Windigo has been gathering strength, largely unnoticed by the security community, for over two-and-a-half years, and currently has 10,000 servers under its control," said Eset security researcher Marc-Étienne Léveillé. 

Read more about 2FA

"More than 35 million spam messages are being sent every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” he said.

According to researchers, Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, while Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content.

Over 60% of the world's websites are running on Linux servers. Eset researchers are calling on webmasters and system administrators to check their systems to see if they have been compromised.

"Webmasters and IT staff already have a lot of headaches and things on their mind, so we hate to add to their workload – but this is important,” said Léveillé.

 “Everyone wants to be a good net citizen, and this is your chance to play your part and help protect other internet users. The last thing anyone should want is to be part of the problem, adding to the spread of malware and spam. A few minutes can make the difference, and ensure you are part of the solution,” he said.

Eset researchers are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

"The Ebury back door deployed by the Windigo cyber crime operation does not exploit a vulnerability in Linux or OpenSSH. Instead it is manually installed by a malicious attacker. The fact that they have managed to do this on tens of thousands of different servers is chilling.

Check your servers

System administrators should run the following command to check whether Unix servers have been compromised by Operation Windigo:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

“While antivirus and two-factor authentication [2FA] is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential theft and easy malware deployment,” said Léveillé.

If sysadmins discover their systems are infected, they are advised to wipe affected computers and reinstall the operating system and software. Eset said it is essential that fresh passwords and private keys are used, as the existing credentials must be considered compromised.

For a higher level of protection in future, technology such as two-factor authentication should be considered, said researchers.

"We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks," said Léveillé. 

Eset has published a detailed investigation into the Operation Windigo cyber crime campaign, and the various malware components which make up the threat.

Read more on Hackers and cybercrime prevention