Operation Windigo compromises 10,000 Unix servers
Infected servers sending out millions of spam emails, redirecting to malware, say researchers.
Security researchers have uncovered a widespread cyber-criminal campaign that has seized control of over 10,000 Unix servers worldwide in a two-year attack being dubbed Operation Windigo.
The attack, discovered by ESET and a number of cyber-security agencies, has resulted in infected servers sending out millions of spam emails, ESET said in a statement. The vendor described Windigo as a "complex knot of sophisticated malware", which is designed to hijack servers, infect the computers that visit them, and steal information.
"Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control," said ESET security researcher Marc-Étienne Léveillé.
"Over 35 million spam messages are being sent every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements."
Windigo-affected websites attempt to inject visiting Windows computers with malware via an exploit kit. However, Mac users are also affected, are often served adverts for dating sites, while iPhone owners are redirected to pornographic online content, ESET said.
Over 60% of the world's websites are running on Linux servers, so ESET is now calling on webmasters and system administrators to check their systems to see if they have been compromised by Windigo.
In a detailed report, ESET has appealed to Unix system administrators to run a command that will tell them if their server is compromised or not. The command is:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
If a system is infected, ESET advised wiping affected computers and reinstalling the operating system and software. The vendor said it was "essential" that fresh passwords and private keys are used, as existing credentials must be considered compromised.
"We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks," said Léveillé.
"Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems - potentially putting more internet users in the firing line."