Tuesday, March 18 14:31:25
Security researchers at ESET in Dublin have uncovered a widespread cyber-criminal campaign that has seized control of over 25,000 Unix servers worldwide.
The attack, which has been dubbed "Operation Windigo" by security experts, has resulted in infected servers sending out millions of spam emails. Its complex knot of sophisticated malware components are designed to hijack servers, infect the computers that visit them, and steal information.
The Windigo cybercriminal campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control.
Over 35 million spam messages are being sent every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements. Interestingly, although Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content, ESET's Urban Schrott said.
Over 60pc of the world's websites are running on Linux servers, and ESET researchers are calling on webmasters and system administrators to check their systems to see if they have been compromised.
The Ebury backdoor deployed by the Windigo cybercrime operation does not exploit a vulnerability in Linux or OpenSSH. Instead it is manually installed by a malicious attacker. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment. If sysadmins discover their systems are infected, they are advised to wipe affected computers and reinstall the operating system and software. It is essential that fresh passwords and private keys are used, as the existing credentials must be considered compromised. For a higher level of protection in future, technology such as two-factor authentication should be considered.