Pierre-Marc Bureau, security intelligence program manager for ESET, wrote “According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today. This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power, and memory. Well-known organizations such as cPanel and kernel.org were on the list of victims, although they have now cleaned their systems.”
‘Windigo’, as they call it, can attack more than 500,000 targets per day and can take different forms depending on the OS used. Researchers said that when one is using Windows PCs, Windigo simply swipes the target?s data using an exploit kit. However, for Mac users, it attacks using popups for dating sites.
Moreover, ESET revealed, ?the main components of the Windigo operation are an OpenSSH backdoor, a web redirection module and a spam-sending program. Servers located throughout the U.S., Germany, France and the UK are among those infected.? ESERT, alleged that Windigo has infected 25,000 UNIX servers using a Trojan for monetary profit as its purpose. The team added that ?quality of the various malware pieces is high, with stealthy, portable, sound cryptography (session keys and nonces) and shows a deep knowledge of the Linux ecosystem.?
Different reports also said, that those behind Windigo have utilized three homebuilt tools to successfully launch and handle their malicious operation. Those include Ebury, Cdorked, and Perl script called Calfbot.
Furthermore, ESET added that attackers are both technically astute and expert at hiding their tracks saying that “The complexity of the backdoors deployed by the malicious actors shows out-of-the-ordinary knowledge of operating systems and programming. They leave as little trace as possible on the hard drive, so it makes forensics a lot harder. For example, to infect OpenSSH, they will not modify OpenSSH itself; they will modify a shared library used by OpenSSH, so it makes it very hard [for admins] to tell that they’re compromised.”
On the other hand, ESET, in their blog post also advised users on how to check if their servers are infected by ?Operation Windigo Botnet? saying that ?there?s a way to fight back though.? By using the command (below), ESET said that Unix can identify if the server is infected or not:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo ?System clean? || echo ?System infected?
ESET recommended to wipe the machine, reinstall the operating system, and change all of the passwords used, if the server is infected. “We conclude that password-authentication on servers should be a thing of the past. The game has changed regarding the management of servers on the Internet. Password-based login to servers should be a thing of the past. One should seriously consider two-factor authentication or, at least, a safe use of SSH keys.”