Security company ESET has released a new report, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This report was a joint research effort by ESET,
CERT-Bund, SNIC and CERN. The key phrase in the
report title is “server-side.”

Over the past two years, ESET has chronicled
25,000 malware-infected servers that have been instrumental in:

  • Spam
    operations (averaging 35 million spam messages per day)
  • Infecting
    site visitors’ computers via drive-by exploits
  • Redirecting
    visitors to malicious website

The report talks about two well-known
organizations that became victims of Windigo: “This operation has been ongoing since
2011 and has affected high-profile servers and companies, including cPanel and
Linux Foundation’s”

logins make it easy

The Linux servers had a common thread — all were infected with
malware known to provide a root backdoor shell along with the ability to steal
SSH credentials. The report also said, “No vulnerabilities were exploited on
the Linux servers; only stolen credentials were leveraged.”

a sense that helps explain the compromise, as Linux servers are for the most
part bulletproof. 

 So, how did attackers get root-access credentials, login, and
ultimately install the malware?

For those answers, I enlisted the help of Pierre-Marc
, security intelligence program manager for ESET. Bureau said all it takes
is to compromise one server in a network, then it becomes easy. Once root is
obtained, attackers install Linux/Ebury on the compromised server, and start
harvesting SSH-login credentials.

With the additional login credentials, attackers
explore to see what other servers can be compromised in that particular

This slide depicts the infection process:




As mentioned earlier, the infected servers are part of spam
campaigns, redirect visitors to malicious websites, or download malware to the
victim’s computer if it is vulnerable. In order to accomplish this, the attackers
install additional malware on the servers, consisting of:

  • Linux/Cdorked:
    Provides a backdoor shell and distributes Windows malware to end users via
    drive-by downloads
  • Linux/Onimiki: Resolves
    domain names with a particular pattern to any IP address, without the need to
    change any server-side configuration
  • Perl/Calfbot: A lightweight
    spam bot written in Perl


The report mentions there are two types of victims, the
Linux/Unix server operators, and end-users who receive spam and or visit a
website hosted by a compromised server. In that regard, ESET has determined
that compromised servers try to download the following Windows malware:

  • Win32/Boaxxe.G: A
    click fraud malware
  • Win32/Glubteta.M: A generic
    proxy targeting Windows computers

and Yara rules

ESET has worked up Snort and Yara rules that can be found at