Categories
Technology

25,000 co-opted Linux servers spread spam, drop malware and steal credentials

A new report details how 25,000 servers were compromised. The attacks would have failed if more than single-factor login (username/password) had been required.

 

it security lock.jpg

Image: iStock

 

Security company ESET has released a new report, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This report was a joint research effort by ESET,
CERT-Bund, SNIC and CERN. The key phrase in the
report title is “server-side.”

Over the past two years, ESET has chronicled
25,000 malware-infected servers that have been instrumental in:

  • Spam
    operations (averaging 35 million spam messages per day)
  • Infecting
    site visitors’ computers via drive-by exploits
  • Redirecting
    visitors to malicious website

The report talks about two well-known
organizations that became victims of Windigo: “This operation has been ongoing since
2011 and has affected high-profile servers and companies, including cPanel and
Linux Foundation’s kernel.org.”

Single-factor
logins make it easy

The Linux servers had a common thread — all were infected with
Linux/Ebury,
malware known to provide a root backdoor shell along with the ability to steal
SSH credentials. The report also said, “No vulnerabilities were exploited on
the Linux servers; only stolen credentials were leveraged.”






















In
a sense that helps explain the compromise, as Linux servers are for the most
part bulletproof. 

Windigo 1.png

Pierre-Marc Bureau

Image: ESET

 So, how did attackers get root-access credentials, login, and
ultimately install the malware?

For those answers, I enlisted the help of Pierre-Marc
Bureau
, security intelligence program manager for ESET. Bureau said all it takes
is to compromise one server in a network, then it becomes easy. Once root is
obtained, attackers install Linux/Ebury on the compromised server, and start
harvesting SSH-login credentials.

With the additional login credentials, attackers
explore to see what other servers can be compromised in that particular
network.

This slide depicts the infection process:

 

Windigo 2.png

Infection process

Image: ESET

 

Additional
malware

As mentioned earlier, the infected servers are part of spam
campaigns, redirect visitors to malicious websites, or download malware to the
victim’s computer if it is vulnerable. In order to accomplish this, the attackers
install additional malware on the servers, consisting of:

The
victims

The report mentions there are two types of victims, the
Linux/Unix server operators, and end-users who receive spam and or visit a
website hosted by a compromised server. In that regard, ESET has determined
that compromised servers try to download the following Windows malware:

Snort
and Yara rules

ESET has worked up Snort and Yara rules that can be found at
GitHub.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *