Botnet of thousands of Linux servers pumps Windows desktop malware onto web

Botnet of thousands of Linux servers pumps Windows desktop malware onto web

Summary: The scarcity of Linux desktops might keep it safe from malware, but web servers, dominated by the OS, are a different matter.

TOPICS: Security, Linux

As many as 25,000 web servers infected with Linux malware have been used in the past two years to hit website visitors with two variants of Windows malware.

Security researchers in Europe are urging sysadmins — if they haven't already been notified by their ISP — to check their web servers for the presence of several pieces of Linux malware, including a troublesome rootkit known as Ebury SSH for Linux and Unix.

If admins find the malware, chances are they're a victim of 'Operation Windigo', a cybercrime campaign that targets both Windows users and systems admins that operate support equipment for popular websites.

"There are two kinds of victims here: Windows end-users visiting legitimate websites hosted on compromised servers, and Linux/Unix server operators whose servers were compromised through the large server-side credential stealing network," security researchers at antivirus firm ESET say in its report.

The report is based on joint research between ESET, Germany's CERT-Bund, the Swedish National Infrastructure for Computing, and CERN, the European Organisation for Nuclear Research.

Operation Windigo has several key components, including Cdorked, which came to ESET's attention last year following a spate of Apache web server infections. The Cdorked HTTP backdoor was also portable to Apache's httpd, Nginx and lighttpd, covering the most widely used web servers in the world

Websites operated by an infected server redirected visitors to compromised landing pages hosting exploit kits, such as the now defunct Blackhole, as well as conducting ad fraud. In September 2013, it was found to be conducting one million redirects per day; however, only a fraction ended up in infections.

Meanwhile, Ebury runs mostly on Linux servers and offers the attacker a root backdoor shell and has the ability to steal SSH credentials as well as send out spam, according to ESET.

ESET noted that the Windigo operation did not use any new vulnerability to exploit Linux or Unix systems, but rather relied solely on stolen credentials.

"There are two typical scenarios where SSH credentials get stolen. The first scenario is when a user successfully logs into an infected server. The second scenario is when a user uses a compromised server to log on any other system," ESET's researchers said.

There's also Calfbot, a Perl-based module designed to send spam from Ebury infected servers. At one point it was caught sending out 35 million spam messages per day.

The number of Ebury infections based on a count of unique IP addresses has fluctuated over the past year between 7,700 in June 2013 to 11,110 in January 2013. In total, the researchers have observed 26,000 Ebury infections since beginning their analysis in May 2013.

The countries with the most infections include the US, Germany, France, Italy and the UK. Cdorked had fewer total infections, amounting to 2,183 over the period.

2014-03-19 01.50.43 pm
Linux/Ebury infections by country. Image: ESET.

The two key pieces of Windows malware being served up in drive-by downloads were Win32/Boaxxe.G, a click fraud malware, and Win32/Glubteta.M, a generic proxy for Windows.

Read more on malware

Topics: Security, Linux

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • There just HAS to be another answer...

    ...because everyone knows that Linux is impervious to ANY bad things. It is 100% safe.

    We know this because the Linux crowd tells us so every day.
    • Desktop Linux is pretty safe

      However, server-side Linux is known for having unpatched vuln's and various issues with it, partially because server-side Linux is also offered for no cost.
      • Thats not

        What the Linux fans tell us, they say it is sooo secure, that is why it used for web servers.
        • And Yet...

          You didn't believe them. You don't have this problem. You have other problems because every platform has costs to accompany its benefits. You also paid more money if you chose Windows server and did not choose a non-enterprise Linux.

          The vulnerability and exploits most likely infested the servers using a non-Linux-specific vector, such as SQL injection, cross-site scripting, php, or ruby, i.e., bad administration, slow patching, or poor application design. There was also an issue similar to goto fail that was recently reported. Was that an innocent error or an NSA backdoor that the bad guys found unlocked?

          Were the most hyperbolic of Linux fans wrong? Yes. But the most hyperbolic of Windows partisans are wrong in the same way.

          But, if being like the Linux "Ha Ha" crew in their peak before mid-aughts when Windows server started showing the results of serious security design is your way to make the world better, have at it. Their acidic comments didn't fix anything. They didn't even convince one person to change platforms from Windows to Linux.
          • Actually...

            Many of the things (excused) listed for Linux server infections are the same type of non-OS vectors that a fully patched Windows server (2008 - 2012) typically have.

            I think the point being is that a fully patched Windows server/client is as protected as a fully patched Linux server/client if they are configured correctly. Note that this might not been the case some years ago but Microsoft has improved their security and response by leaps and bounds and is on par with these other solutions.

            Actually I would suggest that OSX is the least secure out of the big three client OSs. Security through obscurity is less of a protection as its market share increase.
            Rann Xeroxx
      • Desktop Linux is pretty safe

        Are you suggest that desktop distros are much more secure because they have less vuln's? Then why they are not use on server side? Maybe also desktop users are smarter and have greater knowledge than servers admins?

        • or perhaps its more secure because nobody gives a blip about Linux desktop

          even people who live in linux
          • A more polite way of putting it is

            "security through obscurity," which isn't the most robust system defense, but nonetheless a fairly significant benefit of minority platforms. If Linux as a desktop client, is obscure enough that nobody targets it for intrusion, then those who do use it benefit from their obscure status... nothing wrong with that.

            Linux has the opposite problem on servers - it is the most used OS for web front ends, and as such vulnerable due to its popularity.
          • Incorrect term?

            "benefit" or "side-effect"
        • No ...

          The vulns are in the server apps, not in the OS itself. That is why you don't see desktop Linux systems being infected. It is the applications that are creating the holes, not the OS. In all fairness, of course, the same is often true of Windows exploits. Just because a system is compromised does not necessarily indicate a weakness in the OS. All it takes is a poorly designed application to open the door to attackers.
          George Mitchell
          • No

            The desktop is not attacked because the returns are insufficient on the investment required. See above, "security through obscurity."

            The "Linux is impervious" myth is not something the Linux community should want to embrace - we Mac users were rightly once faulted for that. The tactics used on servers are the same tactics that would be used on users if Linux ever became a target - commercial hackers and spammers don't give a fig whether they "compromised your kernel" or not. They don't care about bragging rights, they care about getting on your system - and if they do that through Evolution, Chrome, Firefox, deceptive code dumped into Ubuntu Software Center, or whatever, that's all they care about.

            Nobody should be complacent about security - just because they have not yet targeted you, does not mean they never will. And make no mistake, if they decide to, they will have some success.
          • This!

            This should be the first post on any topic article that discusses security.

            There is no such thing as a safe computer. Thinking such is dangerous at best
          • So true....

            There are hackers and there are State run military hackers as well. When ever a new server goes live it is scanned and scoped out for opportunities to use it for bad things.
          • I agree

            The "Linux is impervious" myth is not something the Linux community should want to embrace.

            If you run a web server, any OS web server you are a sitting duck for the bad guys. Security is a 24/7 job and should not be taken lightly.
          • The tactics used on servers is social engineering

            The Linux servers had a common thread — all were infected with Linux/Ebury, malware known to provide a root backdoor shell along with the ability to steal SSH credentials. The report also said, “No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.”
          • because the returns are insufficient on the investment required

            No that's not the reason, the reason is because it's hard to infect, desktops are very different from servers, people have created malware for desktop Linux before, remember the "Hand of Thief" trojan last year? but none have managed to survive and spread in the wild like windows malware does.
          • App store

            The nice thing about most Linux distro is the app store model (on Linux long before other OSs) and the community vetting of apps. If you are installing apps from reputable Linux app stores (repositories) than you have a good chance of installing safe software. If you install third party or from non-reputable repositories, just like Android you are opening yourself up for possible exposure.

            But I agree with others that Linux desktop just in not significant enough to paint a target for malware devs.
            Rann Xeroxx
      • Nowadays...

        ...any public facing server has to be closely monitored and system patches promptly applied.
        John L. Ries
        • Not to mention ...

          properly configured.
          Rabid Howler Monkey
          • Agreed

            Most issues with servers are that they are configured incorrectly. One of the problems are these "appliance" installs of Linux servers where you need, say, a SQL server and so you just install a ready made one without vetting all the proper configurations to harden it. See those all the time.
            Rann Xeroxx