Highlights and Updates

Operation Windigo

Thursday, 20th March 2014
Security researchers have uncovered a widespread cybercriminal campaign that has seized control of over 25,000 servers worldwide, in order to send millions of spam messages a day and redirect people to unwanted websites.
This attack has been called "Operation Windigo".

Operation Windigo has been going on for over two and a half years but has gone largely unnoticed by the security community until now.

  • These 25,000 infected servers are in 110 countries. The top 5 countries being the United States, Germany, France, Italy and the U.K. 

  • These infected servers in total send over 35 million spam messages a day to innocent user accounts.

  • Users who visit a website that is hosted on an infected server get redirected to another website that contains an exploit kit (A type of malware).The researches have found that daily there are over half a million visitors to these websites and about 5000 of them get infected by these exploit kits daily.

  • When someone logs in to the infected server, or logs into another server through the infected server, their credentials are stolen and sent to the attackers.

For Web Masters & System Admins:

How to tell if your Unix server has been infected with Windigo

 Run the following command to tell if your server is copromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

Please Note: There may be another variation of this malware on your server so please read the Technical report to know how to detect all the different variations and how to clean them.

Because the malware has root access level, the researchers advise anyone infected to completely wipe their servers and rebuild them from scratch using a verified source.
If infected one should assume that all administrator and user credentials have been compromised, so resetting of all passwords is necessary.

Please read the technical report which explains in detail how this threat operates and how you can detect it and clean your server. Download it here.