Researchers discover credential-stealing Unix-based server botnetMarch 19, 2014 – 4:34 AM
Dubbed Operation Windigo, the attack has been ongoing for more than two and a half years and has compromised as many as 25,000 servers at one time, anti-virus vendor ESET said Tuesday. Systems infected with the backdoor Trojan are used in stealing credentials, redirecting Web traffic to malicious content and sending as many as 35 million spam messages a day.
ESET has investigated the criminal operation in collaboration with CERT-Bund and the Swedish National Infrastructure for Computing. Compromised servers have been found throughout the U.S., Germany, France, and the United Kingdom.
Operating systems affected by the spam component of the operation include Linux, FreeBSD, OpenBSD, OS X and Windows. With more than 60 percent of the world’s Web sites running on Linux servers, ESET researchers are warning Web masters and system administrators to check their systems for infection.
ESET found that all the compromised servers have been infected with the Ebury OpenSSH backdoor. The network is particular virulent because each of the systems have significant bandwidth, storage, computing power and memory.
Linux/Ebury is a particularly stealthy malware, ESET said. Its creators are careful to deploy the backdoor while avoiding landing files on the file system. They also leave no trace in log files when using the backdoor.
In addition, the malware configurations loaded onto systems are stored in memory, so if the system is rebooted the configurations go away. This makes it difficult for forensics experts to determine what the creators were able to do in the system.