25,000 co-opted Linux servers spread spam, drop malware and steal credentials
Posted on August 31 2015
Security company ESET has released a new report, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This report was a joint research effort by ESET, CERT-Bund, SNIC and CERN. The key phrase in the report title is "server-side."
Over the past two years, ESET has chronicled 25,000 malware-infected servers that have been instrumental in:
- Spam operations (averaging 35 million spam messages per day)
- Infecting site visitors' computers via drive-by exploits
- Redirecting visitors to malicious website
The report talks about two well-known organizations that became victims of Windigo: "This operation has been ongoing since 2011 and has affected high-profile servers and companies, including cPanel and Linux Foundation's kernel.org."
Single-factor logins make it easy
The Linux servers had a common thread — all were infected with Linux/Ebury, malware known to provide a root backdoor shell along with the ability to steal SSH credentials. The report also said, "No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged."
In a sense that helps explain the compromise, as Linux servers are for the most part bulletproof.
So, how did attackers get root-access credentials, login, and ultimately install the malware?
For those answers, I enlisted the help of Pierre-Marc Bureau, security intelligence program manager for ESET. Bureau said all it takes is to compromise one server in a network, then it becomes easy. Once root is obtained, attackers install Linux/Ebury on the compromised server, and start harvesting SSH-login credentials.
With the additional login credentials, attackers explore to see what other servers can be compromised in that particular network.