Home / / Operation Windigo compromises 10,000 Unix servers

Operation Windigo compromises 10,000 Unix servers

Infected servers sending out millions of spam emails, redirecting to malware, say researchers.

Operation Windigo compromises 10,000 Unix servers
ESET: Windigo is a complex knot of sophisticated malware

Security researchers have uncovered a widespread cyber-criminal campaign that has seized control of over 10,000 Unix servers worldwide in a two-year attack being dubbed Operation Windigo.

The attack, discovered by ESET and a number of cyber-security agencies, has resulted in infected servers sending out millions of spam emails, ESET said in a statement. The vendor described Windigo as a "complex knot of sophisticated malware", which is designed to hijack servers, infect the computers that visit them, and steal information.

"Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control," said ESET security researcher Marc-Étienne Léveillé.

"Over 35 million spam messages are being sent every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements."

Windigo-affected websites attempt to inject visiting Windows computers with malware via an exploit kit. However, Mac users are also affected, are often served adverts for dating sites, while iPhone owners are redirected to pornographic online content, ESET said.

Over 60% of the world's websites are running on Linux servers, so ESET is now calling on webmasters and system administrators to check their systems to see if they have been compromised by Windigo.

In a detailed report, ESET has appealed to Unix system administrators to run a command that will tell them if their server is compromised or not. The command is:


$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

If a system is infected, ESET advised wiping affected computers and reinstalling the operating system and software. The vendor said it was "essential" that fresh passwords and private keys are used, as existing credentials must be considered compromised.

"We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks," said Léveillé. 

"Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems - potentially putting more internet users in the firing line." 

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.

CHANNEL AWARD 2018