Linux malware infected 10k+ servers worldwide - Operation WINDIGO

Recent disclosure of a malware by Nod Eset security firm, revealed astonishing details of how intruders used sophisticated techniques to attack Web Servers, Email Servers, DNS servers etc., They operated in a group and used four different malwares. Nod Eset estimated that the group operated from 2011.
The backbone of their whole operation is a malware called as Linux/Ebury.

 

It is a highly sophisticated stealth malware that patches the openSSH server when it is loaded into RAM of the server. The group injected malware code into libkeyutils.so of the openSSH server package. When the openSSH executable loads the dynamically linked library libkeyutils.so, the malware code first makes sure it is being loaded by openSSH and then hooks few functions of the parent process to malicious functions using dlopen(), dlsym(). The attackers then stole SSH credentials of every login attempt and stored them in shared memory. This way they maintained stealth. Then the process sent those stored credentials to their Command and Control (CC) servers through DNS outbound packets. They evaded firewalls by using this trick. They maintained a backdoor in the server through openSSH to maintain access if the credentials are changed by the administrator.

The next malware is perl/CalfBot. It is an obfuscated perl script that sends spam mails. Nod ESET estimated that they can send 35 million spam messages per day. The spam messages were targeted at Gmail, Yahoo, Hotmail etc.,  This used sendmail, mail on the infected systems.

The next malware is Linux/Onimiki. It affected DNS servers and replaced the entire binary of the DNS servers. It allowed them to control creation of domain names and their validity. This played a pivotal role in sending spam. They used expiration time as low as 24 hours. Thus they evaded spam filtering mechanisms and blacklisting.

The group's main aim is money. They used the entire network to redirect web uses from their legitimate sites. They redirected them to advertising networks.

The research found that the average root password length is 11.07 characters. The minimum is 3 characters, maximum 50 characters.
Share on Google Plus

About Venkata Jaswanth U

ThoughtWorker, Computer Science graduate from India. I am passionate programmer, blogger, thinker. I love open-source and linux. I love making friends. Just send me 'hi' to any of my social profiles. I love helping people.
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

We love your Feedback