• United States



Researchers discover credential-stealing Unix-based server botnet

Mar 18, 20143 mins
BotnetsCybercrimeData and Information Security

As many as 25,000 servers have been infected simultaneously with backdoor Trojan used to steal credentials, send out spam, and redirect Web traffic

Cybercriminals are using sophisticated malware in compromising thousands of Unix-based servers to spew spam and redirect a half million Web users to malicious content per day, a security firm reported.

[Bitcoin-stealing malware hidden in Mt. Gox data dump, researcher says]

Dubbed Operation Windigo, the attack has been ongoing for more than two and a half years and has compromised as many as 25,000 servers at one time, anti-virus vendor ESET said Tuesday. Systems infected with the backdoor Trojan are used in stealing credentials, redirecting Web traffic to malicious content and sending as many as 35 million spam messages a day.

ESET has investigated the criminal operation in collaboration with CERT-Bund and the Swedish National Infrastructure for Computing. Compromised servers have been found throughout the U.S., Germany, France, and the United Kingdom.

Operating systems affected by the spam component of the operation include Linux, FreeBSD, OpenBSD, OS X and Windows. With more than 60 percent of the world’s Web sites running on Linux servers, ESET researchers are warning Web masters and system administrators to check their systems for infection.

ESET found that all the compromised servers have been infected with the Ebury OpenSSH backdoor. The network is particular virulent because each of the systems have significant bandwidth, storage, computing power and memory.

Linux/Ebury is a particularly stealthy malware, ESET said. Its creators are careful to deploy the backdoor while avoiding landing files on the file system. They also leave no trace in log files when using the backdoor.

In addition, the malware configurations loaded onto systems are stored in memory, so if the system is rebooted the configurations go away. This makes it difficult for forensics experts to determine what the creators were able to do in the system.

“What you’re able to do in terms of forensics will be to analyze the binary files you’ll find in the malware, but you won’t find the configuration,” ESET security researcher Marc-Étienne Léveillé said.

For encrypted communications, the creators install the backdoor in the OpenSSH instance in the servers. OpenSSH, or OpenBSD Secure Shell, is a set of computer programs that use the SSH protocol in providing encrypted communications over a computer network.

Ways to derail the malware campaign includes using two-factor authentication, which will be make the stolen credentials unusable, Léveillé said. Keeping the OS and installed software up-to-date would also be a good defense.

[Malicious advertising offers broad reach and quick rewards for malware perpetrators]

Computers visiting an infected server and redirected to malicious a Web page encounter an exploit kit that checks for older software with vulnerabilities it can exploit, Léveillé said.