A team of security researchers has uncovered a widespread attack campaign that has infected more than 25,000 UNIX servers around the world.
The finding was made by researchers from ESET, CERT-Bund, the Swedish National Infrastructure for Computing and other agencies. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling ‘Operation Windigo.’ Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as much as 35 million spam messages a day.
“Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,” said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement. “This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power and memory.”
Infected servers have been identified in the U.S., Germany, France and the U.K. According to the researchers, they are believed to redirect as many as half a million web visitors a day to malicious content. Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, while Mac users are typically served advertisements for dating sites. iPhone owners are redirected to sites with adult content.
ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present. If IT admins discover the malware, they are advised to wipe the affected computers and reinstall the operating system.
According to ESET, Unix system administrators and webmasters can run the following command to see if their server is compromised or not:
$ ssh -G 21 | grep -e illegal -e unknown /dev/null echo “System clean” || echo “System infected”
The full report is available here.
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Researchers Uncover Attack Campaign Leveraging 25,000 Unix Servers Dont Forget DNS Server Security Researchers Detail Critical Vulnerabilities in SCADA ProductOracle VirtualBox Memory Corruption Vulnerabilities Uncovered More Than 162,000 WordPress Websites Leveraged to Launch DDoS
Tags: NEWS INDUSTRY