Windigo malware infects 25,000 Unix servers

News by Tim Ring

Systems administrators urged to take the 'tough medicine' and wipe all affected computers

Security firm ESET has gone public on a cyber crime campaign - ‘Operation Windigo' - that has infected over 25,000 Unix servers worldwide over the past three years, and is daily sending over 35 million spam messages to drive more than 500,000 computers to websites that serve them click-fraud malware and adverts for dating, online gambling and porn websites.

An ESET research team based in Montreal, Canada, and led by security intelligence programme manager Pierre-Marc Bureau has been tracking Windigo since September 2011 and say it is currently infecting 10,000 servers – 25,000 in all over the two-and-a-half years. It has compromised systems in 110 countries, the top five being the US, Germany, France, Italy and the UK.

ESET says: “Many hosting service providers have been completely compromised, including their billing systems.”

Yet the company says Windigo has gone “largely unnoticed by the security community” and is publicising the campaign in a bid to get system administrators to take the threat seriously and clean out their infected computers.

ESET said: “More than half a million visitors to legitimate websites hosted on servers compromised by Windigo are being redirected to an exploit kit every day. The success rate of exploitation of visiting computers is approximately one percent.”

It adds: “The quality of the various malware pieces is high - stealthy, portable, sound cryptography, and shows a deep knowledge of the Linux ecosystem.”

Windigo's main components are the Ebury backdoor, which enables the criminals to access Linux and Unix servers and steal administrator-level SSH credentials; Linux/Cdorked, which they use to redirect web traffic; and Perl/Calfbot, a Perl script used to send spam messages.

Windigo-affected websites typically infect Windows computers with click-fraud malware via an exploit kit, serve Mac users with adverts for dating sites, and redirect IPhone users to pornographic online content.

Organisations known to have been infected by Windigo include cPanel and the Linux Foundation,, which went public last year on their compromise.

ESET has so far been unable to trace the criminals behind Windigo, not even their country or region of origin, but believe they are paid by the websites being advertised for their spam output.

Are you part of the problem?

ESET has been struggling to get webmasters and systems administrators to check if they are infected, then take the ‘tough medicine' of wiping all infected computers and re-installing the operating system and software.

ESET security researcher Marc-Étienne Léveillé said: "Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems - potentially putting more internet users in the firing line."

Pierre-Marc Bureau said that ESET has been spreading information about Windigo for several months through national cyber emergency response teams (CERTs) and notifying victims.

He told “We have been telling them, please make sure you clean up. But people didn't believe us because the malware is very stealthy and hard to detect. So we are publishing that servers may be used to send spam or used to redirect web users, to help them to understand the impact and motivate them to clean up.”

Industry expert Brian Honan, head of cyber security specialist BH Consulting, told via email: “Dealing with Windigo will be a major headache for system administrators. It not only requires the wiping of the server and re-installation of all software, it also includes resetting all passwords and re-issuing fresh SSH keys. This can be a time-consuming exercise. Administrators will also need to consider how their website was breached, be that weak passwords or compromised SSH keys, and ensure that avenue of attack has been closed to the criminals.”

Honan added: “This campaign is a good example as to why you should integrate your security incident response with your business continuity plans. In the event of a compromise that requires a time-consuming rebuild of the affected system, being able to invoke your business continuity plan to enable the business to carry on as normal is essential.”

ESET has published a simple command line that people can use to see if a server is infected:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

Bureau told us: “The first hard thing is to confirm if a server is infected or not, then the even more painful step is to reformat the computer and re-install the system, but it needs to be done as malware controller is the administrator of the server and can do whatever they want.”

Linux and Unix target

More than 60 percent of the world's websites run on Linux servers, and Brian Honan pointed to the significance of these systems being Windigo's target platforms.

He told us: “Traditionally Microsoft Windows platforms have been the primary target for criminals, but Windigo highlights that other platforms such as Unix and Apple are vulnerable to attack too. Those responsible for managing systems need to include all platforms in their security strategy.”

Windigo was named by ESET after a native American demonic creature that eats human flesh – because the malware cannibalises legitimate servers to use them for criminal purposes.

ESET researched Windigo in collaboration with Sweden's national CERT-Bund organisation and other agencies.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews