Security

25,000 co-opted Linux servers spread spam, drop malware and steal credentials

A new report details how 25,000 servers were compromised. The attacks would have failed if more than single-factor login (username/password) had been required.

 

it security lock.jpg
 Image: iStock
 

Security company ESET has released a new report, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This report was a joint research effort by ESET, CERT-Bund, SNIC and CERN. The key phrase in the report title is “server-side.”

Over the past two years, ESET has chronicled 25,000 malware-infected servers that have been instrumental in:

  • Spam operations (averaging 35 million spam messages per day)
  • Infecting site visitors’ computers via drive-by exploits
  • Redirecting visitors to malicious website

The report talks about two well-known organizations that became victims of Windigo: "This operation has been ongoing since 2011 and has affected high-profile servers and companies, including cPanel and Linux Foundation’s kernel.org."

Single-factor logins make it easy

The Linux servers had a common thread — all were infected with Linux/Ebury, malware known to provide a root backdoor shell along with the ability to steal SSH credentials. The report also said, “No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.”

In a sense that helps explain the compromise, as Linux servers are for the most part bulletproof. 

Windigo 1.png
Pierre-Marc Bureau
 Image: ESET
 So, how did attackers get root-access credentials, login, and ultimately install the malware?

For those answers, I enlisted the help of Pierre-Marc Bureau, security intelligence program manager for ESET. Bureau said all it takes is to compromise one server in a network, then it becomes easy. Once root is obtained, attackers install Linux/Ebury on the compromised server, and start harvesting SSH-login credentials.

With the additional login credentials, attackers explore to see what other servers can be compromised in that particular network.

This slide depicts the infection process:

 

Windigo 2.png
Infection process
 Image: ESET
 

Additional malware

As mentioned earlier, the infected servers are part of spam campaigns, redirect visitors to malicious websites, or download malware to the victim’s computer if it is vulnerable. In order to accomplish this, the attackers install additional malware on the servers, consisting of:

  • Linux/Cdorked: Provides a backdoor shell and distributes Windows malware to end users via drive-by downloads
  • Linux/Onimiki: Resolves domain names with a particular pattern to any IP address, without the need to change any server-side configuration
  • Perl/Calfbot: A lightweight spam bot written in Perl

The victims

The report mentions there are two types of victims, the Linux/Unix server operators, and end-users who receive spam and or visit a website hosted by a compromised server. In that regard, ESET has determined that compromised servers try to download the following Windows malware:

  • Win32/Boaxxe.G: A click fraud malware
  • Win32/Glubteta.M: A generic proxy targeting Windows computers

Snort and Yara rules

ESET has worked up Snort and Yara rules that can be found at GitHub.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

25 comments
zokk1959
zokk1959

beware of a company named DRIVERUPDATE.NET , when you download their program you will get more viruses than you can handle , and then they will charge you MORE for getting rid of the viruses that DRIVERUPDATE.NET gave you in the first place, 49.87 for a worthless product. BUYER BEWARE

mark
mark

When a server's credentials are compromised an Anti Virus won't help. 


If someone compromises a server and has root credentials they can do anything. 

Stop AV, delete the kernel ANYTHING. 

Antivirus would do little more than require the server to have access to the internet to get updates or require a server admin to load definitions on a USB key, both would present more security holes. In essence a good Linux server setup locked down with end point (network) monitoring appliance to see what is leaving the network will be a MUCH better solution than AV on Linux server.

VortexCortex
VortexCortex

"But wait! It's Linux! Impossible! Nothing can break Linux."

Queue the "anything can be hacked" standard response, which only comes after accusing Windows of being *the* (singular) security problem among OSes, "inherently" insecure, yada yada yada. Apparently, we're simply supposed to look the other way when encountering all the non sequitur arguments by the anti-Microsoft/pro-Linux gang.

RobertMoore12
RobertMoore12

I thought Linux was bulletproof and could NOT be compromised. Apparently Linux is no more secure than windows or OSX, If it can be compromised this easily.

pgit
pgit

All you have to do is disable SSH v1, completely disallow log in via password. (use keys only) You can protect keys with a password, but the server has to recognize the key first, before you'll be prompted for it's password.


Now the black hats would have to try to exploit scp to get their unauthorized public key onto the authorized_keys file on the server... but really I don't see how that would work, as the 'chicken or the egg' principle applies: how can you attempt to exploit scp if it requires a valid key?


scp, and ssh itself, would have to be badly broken for this to be doable.


2 factor auth is great, by all means deploy the method of your choosing. But as I see it, having ssh set to not even consider passwords is the way to go. I wonder if any of these 25k machines would have been cracked if ssh v1 was disabled?

mcijeffb
mcijeffb

I love ssh keys.  I use them hundreds of times a day.  I NEVER put my private ley on a server that isn't 100% mine, physically and administratively. When I am allowed to, I prevent users of machines I administrate from placing their private keys on the machine.

mcijeffb
mcijeffb

I hate to point out the obvious, but putting a fake, blank, uneditable ssh private key in each users home directory goes a long way towards fixing the effects of this intrusion.  While I understand the usefulness of ssh keys, and use them extensively, I NEVER put my private key somewhere I do not have complete control, including physical access, of the host.  If I allow a user to put their private key on a machine I administrate, I can only assume that they have done the same thing on machines administrated by other people.  Assuming that is true, I allow every other system administrator access to the machines I administrate.

Gisabun
Gisabun

Don't you just love it that Linux servers [technically more secure than others] are dishing out malware to Windows users...

ArtyChoked
ArtyChoked

I am a huge fan of rootkit/infection seeking tools, such as rkhunter. Does anyone know of such a tool that is sensitive to these three ploys?

Nathan.
Nathan.

Greg, if you read the article you would've read that fault laid in stolen credentials and not the Linux Servers. They managed to gain root access, discovered the password on a single server than then compromising SSH keys to discover the credentials of other users to gain access to other servers.

What I can see happening from this some form of additional authentication requirement for admin access to servers in future. The weakest link in network security is users as has always been the case. Perhaps the use of single use passwords or biometrics could be used in combination of the standard username/password to gain root access.

Chris Hanecak
Chris Hanecak

Greg Foreman Linux is inherently more secure Windows but no system is invulnerable, any system can also be misconfigured thus making it vulnerable. Also any system can be made more secure with proper planning, configuration and vigilance from the system administrator.

Greg Foreman
Greg Foreman

Now I'm confused. According to most Linux fanboys only Windows systems are vulnerable to attacks.

CharlieSpencer
CharlieSpencer

I agree an appliance would be better than AV.   I submit AV would be better than nothing, even with manual updating.  AV might not have blocked that initial penetration, but it may have prevented the spread on the subsequently affected machines.


A default Linux server install may be inherently more secure than a Windows one, and it may require less work to fully secure.  Can we agree both need some degree of post-installation attention and not blindly trusted in their 'out of the box' configurations?

mark
mark

@VortexCortex  

Should have said "Que the I have no fundamental understanding of Linux or Unix"  standard comment. 

If this were an article about infected windows servers over a several year period we would be looking at numbers in the MILLIONS. 

mark
mark

@RobertMoore12  


LOL literally. 


I will take a standard Linux install no patches say RHEL 6.4 and a Windows 2012 server unpatched and place them both on the internet unprotected w/o firewall or AV and we shall see who is standing. By the end of the day the Windows server will be compromised and I will bet good $$$ the Linux server would have no issues if it were set up properly. (nothing special just strong passwwords etc.)


PS I am split about 80% Linux and 20% of my admin time to windows. I support both and we have many more security issues with Windows. 


Michael Kassner
Michael Kassner

That is correct, Chris


The OS is not at fault in this situation, the attack is leveraging the weakness of single-factor authentication.

Michael Kassner
Michael Kassner

Greg,


All operating systems are vulnerable if the attackers gain root or administrative access. Installing the malware then becomes the same as installing any normal program. 


What is required is to subvert the first server, then when admins log into it, the malware records they login information. That is why a multi-factor authentication method is needed.

mark
mark

@CharlieSpencer  

I agree that is what a good administrative staff is for. Watch and know your network / servers. 


TrajMag
TrajMag

@Michael Kassner 


Then why did you write the article title the way you did. I have a great respect for your articles but the inference that Linux is responsible for this breach in the title is a slip up this time.

CharlieSpencer
CharlieSpencer

Where the fanboys are mistaken is their cry, "With Linux, you don't need anti-virus software!"  While single factor authentication will leave any OS vulnerable, an A/V application could have prevent the effects.  It also would defend against well-intentioned admins who fall prey to social engineering bait.

Editor's Picks