Botnet of thousands of Linux servers pumps Windows desktop malware onto web
As many as 25,000 web servers infected with Linux malware have been used in the past two years to hit website visitors with two variants of Windows malware.
Security researchers in Europe are urging sysadmins — if they haven't already been notified by their ISP — to check their web servers for the presence of several pieces of Linux malware, including a troublesome rootkit known as Ebury SSH for Linux and Unix.
If admins find the malware, chances are they're a victim of 'Operation Windigo', a cybercrime campaign that targets both Windows users and systems admins that operate support equipment for popular websites.
"There are two kinds of victims here: Windows end-users visiting legitimate websites hosted on compromised servers, and Linux/Unix server operators whose servers were compromised through the large server-side credential stealing network," security researchers at antivirus firm ESET say in its report.
The report is based on joint research between ESET, Germany's CERT-Bund, the Swedish National Infrastructure for Computing, and CERN, the European Organisation for Nuclear Research.
Operation Windigo has several key components, including Cdorked, which came to ESET's attention last year following a spate of Apache web server infections. The Cdorked HTTP backdoor was also portable to Apache's httpd, Nginx and lighttpd, covering the most widely used web servers in the world.
Websites operated by an infected server redirected visitors to compromised landing pages hosting exploit kits, such as the now defunct Blackhole, as well as conducting ad fraud. In September 2013, it was found to be conducting one million redirects per day; however, only a fraction ended up in infections.
Meanwhile, Ebury runs mostly on Linux servers and offers the attacker a root backdoor shell and has the ability to steal SSH credentials as well as send out spam, according to ESET.
ESET noted that the Windigo operation did not use any new vulnerability to exploit Linux or Unix systems, but rather relied solely on stolen credentials.
"There are two typical scenarios where SSH credentials get stolen. The first scenario is when a user successfully logs into an infected server. The second scenario is when a user uses a compromised server to log on any other system," ESET's researchers said.
There's also Calfbot, a Perl-based module designed to send spam from Ebury infected servers. At one point it was caught sending out 35 million spam messages per day.
The number of Ebury infections based on a count of unique IP addresses has fluctuated over the past year between 7,700 in June 2013 to 11,110 in January 2013. In total, the researchers have observed 26,000 Ebury infections since beginning their analysis in May 2013.
The countries with the most infections include the US, Germany, France, Italy and the UK. Cdorked had fewer total infections, amounting to 2,183 over the period.
The two key pieces of Windows malware being served up in drive-by downloads were Win32/Boaxxe.G, a click fraud malware, and Win32/Glubteta.M, a generic proxy for Windows.
Read more on malware