An In-depth Analysis of Linux/Ebury

SweX · Feb 21, 2014

ESET has been analyzing and tracking an OpenSSH backdoor and credential stealer named Linux/Ebury. The result of this work on the Linux/Ebury malware family is part of a joint research effort with CERT‑Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN) and other organizations forming an international Working Group.
Click to expand...

http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/

SweX · Mar 18, 2014

Operation Windigo – the vivisection of a large Linux server-side credential-stealing malware campaign

Since last year, ESET’s research team has been investigating the operation behind Linux/Ebury. We discovered an infrastructure used for malicious activities that is all hosted on compromised servers.
Click to expand...

http://www.welivesecurity.com/2014/...er-side-credential-stealing-malware-campaign/

SweX · Mar 18, 2014

Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo

If you run a website on a Linux server or are responsible for the security of your company’s Unix servers, there’s something very important you should do right now.
Click to expand...

http://www.welivesecurity.com/2014/03/18/attack-unix-operation-windigo/

Gullible Jones · Mar 18, 2014

Thanks, SweX, I'll make sure some people I know see this.

SweX · Mar 18, 2014

Gullible Jones said:

Thanks, SweX, I'll make sure some people I know see this.
Click to expand...

You're welcome GJ

Malcontent · Mar 18, 2014

Malware Attack Infected 25,000 Linux/UNIX Servers

http://blog.eset.ie/2014/03/18/oper...000-unix-servers-hijacked-by-backdoor-trojan/

Security researchers at ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing as well as other agencies, have uncovered a widespread cybercriminal campaign that has seized control of over 25,000 Unix servers worldwide.

The attack, which has been dubbed “Operation Windigo” by security experts, has resulted in infected servers sending out millions of spam emails. Its complex knot of sophisticated malware components are designed to hijack servers, infect the computers that visit them, and steal information. Victims of “Operation Windigo” have included cPanel and kernel.org.
Click to expand...

Dermot7 · Mar 18, 2014

Our friends over at ESET released a very detailed document about the Windigo Operation. The Windigo Operation has been responsible for the compromise of thousands of Linux servers over the years. When you hear terms like Ebury, CDorked, Calfbot and others, they are all related to each other.

Over the last few years, our team has been handling and fixing compromised servers and we can attest to how complex the clean up for this infection can be. We’ve seen that the servers we’ve fixed have been misused for distribution of malware, SPAM and, in some cases, to steal credit cards on compromised web servers used for e-commerce.
Click to expand...

http://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html

lotuseclat79 · Mar 19, 2014

10,000 Linux servers hit by malware serving tsunami of spam and exploits.

Two-year-old Windigo may also have infected kernel.org Linux developers.
Click to expand...

-- Tom

Gullible Jones · Mar 19, 2014

Lovely. I would hope that all the presumably stolen credentials have been revoked by now...

siljaline · Mar 19, 2014

Re: Malware Attack Infected 25,000 Linux/UNIX Servers

From *ESET Ireland* - >
OPERATION WINDIGO: Malware Used To Attack Over 500,000 Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan

From Dan Goodin at ARS (more or less a re-hash of the above with some embellishment)
http://arstechnica.com/security/201...malware-serving-tsunami-of-spam-and-exploits/

Baserk · Mar 19, 2014

Two-year-old Windigo may also have infected kernel.org Linux developers.
Click to expand...

I'd say, it's the mother of all malware if it can infect people.
(Couldn't resist, )

edit: On topic, gruesome infection but the initial vector was rather simple, password theft.

siljaline · Mar 21, 2014

Re: Malware Attack Infected 25,000 Linux/UNIX Servers

The Linux security spell is broken

The Linux community joins the rest of us schmucks in the sad security state as news breaks of massively infected Unix servers
Click to expand...

http://www.infoworld.com/t/cringely/the-linux-security-spell-broken-238717

Gullible Jones · Mar 21, 2014

Ick. Where to start...

- Linux has never been truly secure on desktops *or* servers; just more secure than some of the competition, some of the time.

- Linux is still pretty safe from desktop malware. That is completely different from being theoretically secure in any way.

- There have been compromised Linux servers galore for ages.

- If a server is compromised by brute-forcing the SSH password from a remote IP, that is purely the sysadmin's fault. (In fact that juxtaposition of the words "SSH", "password", and "remote" should set off alarm bells right away.)

ronjor · Mar 21, 2014

Ancient Linux servers: The blighted slum houses of the Internet

Mass compromise infects old Web servers running Linux versions from 2007.

by Dan Goodin - Mar 21 2014, 1:00pm CST
Click to expand...

http://arstechnica.com/security/201...ers-the-blighted-slum-houses-of-the-internet/

siljaline · Mar 21, 2014

Re: Malware Attack Infected 25,000 Linux/UNIX Servers

Linux and botnets: It's not Linux's fault!

I couldn't blame you, if -- based on recent headlines such as "Linux worm Darlloz targets Intel architecture to mine digital currency" and "Botnet of thousands of Linux servers pumps Windows desktop malware onto web" -- you thought Linux was as full of holes as Windows XP. If you take a closer look, you'll find that Linux isn't the problem. No, the real security hole lies with some of Linux's administrators and users.
Click to expand...

http://www.zdnet.com/linux-and-botnets-its-not-linuxs-fault-7000027538/

siljaline · Mar 21, 2014

Re: Malware Attack Infected 25,000 Linux/UNIX Servers

Attackers Picking Off Websites Running 7-Year-Old Unsupported Versions of Linux

The risks presented by unsupported operating systems are being called out in a large-scale attack on hundreds of websites.

Hackers have hit web servers running a version of the Linux 2.6 kernel released seven years ago. The result is a multistage attack where compromised websites are spiked with JavaScript that redirects users to a second site where additional malware is served. [...]
Click to expand...

http://threatpost.com/attackers-pic...year-old-unsupported-versions-of-linux/104957

Baserk · Mar 22, 2014

Ars Technica and Cisco Provide Another Example of Bad Security Reporting link

If you read Cisco’s blog though they only state “it is possible” that a “vulnerability that has since been patched in later Linux release” was the source of the hack, while Ars Technica says that it “appears” to be the case. Here is the relevant section of Cisco’s post:

Attackers compromised legitimate websites, inserting JavaScript that redirects visitors to other compromised websites. All of the affected web servers that we have examined use the Linux 2.6 kernel. Many of the affected servers are using Linux kernel versions first released in 2007 or earlier. It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators.

That turns out to be less of an issue then the fact that the websites are not even all running Linux, much less the Linux 2.6 Kernel. Some websites provide information on the software running the in HTTP headers served with the page. Our Server Details web browser extension, available for Chrome and Opera, can parse those HTTP headers to provide the details in them and warn for outdated software. Using those headers we started going through the Cisco’s list of compromised websites and second compromised websites. For each we have listed below the first five websites we found not running Linux and what operating system they are running:

Compromised Websites

archive.mrpools.co.uk Windows Server 2003
blueprintbowling.com Windows Server 2008 R2
hwy65mx.com Windows Server 2003
jandjpoolspa.com Windows Server 2003
mussotra.com Windows Server 2003
Second Compromised Websites

3d2print.eu FreeBSD
7va.cc Windows Server 2008 R2
babycaust.info Windows Server 2008
banderil.com.ar Windows Server 2008 R2
c2consultores.com.ar Windows Server 2008 R2

Cisco provides no evidence of how the websites were hacked, which is the really important thing to prevent more websites from being hacked. If they had actually determined how it was hacked before jumping to speculation then they wouldn’t have tried to connect this to Linux, which it seems pretty likely it doesn’t have anything to do with. Cisco also has provided no evidence this has anything to do with outdated software, if we were to make an educated guess based on the evidence provide so far we would say it is more likely due to compromised FTP credentials, which could easily be checked for by reviewing the FTP logs for the websites.

We should also note that the use of the Linux 2.6 kernel is does not indicate that website using obsolete software, as distributions including Debian, Ubuntu, and Red Hat still have supported releases that use that version of the Linux kernel.
Click to expand...

Big quote, it's all there.
No, linux isn't perfect, impenetrable, 100% safe etc but the Cisco blog and ensuing article(s) are at least dubious.

edit;
Information on Cisco Blog has been corrected.
Lots of text about linux/linux kernel 2.6 striked link

SweX · Apr 11, 2014

Windigo not Windigone: Linux/Ebury updated

There have been some interesting new developments since we published our report on Operation Windigo. In this blog post you will read about a Linux/Ebury update, more details around our publicly released indicators of compromise (IOC), and we wanted to thank the security community for its help since the release of the report.
Click to expand...

http://www.welivesecurity.com/2014/04/10/windigo-not-windigone-linux-ebury-updated/

SweX · Oct 3, 2014

ESET Researchers Win "Péter Szőr Award" for Windigo paper at Virus Bulletin Conference

Péter Szőr Award was established in commemoration of the life and work of security researcher Péter Szőr, who passed away in November 2013. The award recognizes the best piece of technical security research conducted each year, with the winner announced at a gala dinner held at the annual Virus Bulletin Conference.

"ESET Canada are worthy winners of this inaugural award in memory of the great Péter Szőr. The depth and breadth of the Operation Windigo investigation, the use of a range of groundbreaking techniques, and the high level of collaboration with other researchers and affected parties are all very much in the spirit of Péter's own excellent work. We hope this award will serve to encourage further superior-quality research from ESET and others in the future," said John Hawes, Chief of Operations at Virus Bulletin.
Click to expand...

http://www.eset.com/int/about/press...r-windigo-paper-at-virus-bulletin-conference/

Minimalist · Oct 15, 2014

Operation Windigo: “Good job, ESET!” says malware author

Following the recognition at Virus Bulletin 2014 of ESET’s research on Operation Windigo, I took the opportunity to ask Marc-Etienne Léveillé – who worked directly on the Operation Windigo report a few questions. Marc-Etienne is a malware researcher at ESET. He is interested in reverse engineering Linux and OS X malware. He is passionate about making links between different malware to have an overall view of how they are interconnected.
Click to expand...

http://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/

siljaline · Jan 12, 2015

Malware coders adopt DevOps to target smut sites

[...]Malware writers used Bash and Perl scripts streamed through SSH rather than having them downloaded on a server meaning the code was never written on the server forcing ESET to man-in-the-middle the SSH protocol running on a Windigo-infected honeypot.[...]
Click to expand...

http://www.theregister.co.uk/2015/01/12/linux_vxers_hit_devs_where_it_hurts_p0rn_sites/

Log in or Sign up

An In-depth Analysis of Linux/Ebury

SweX Registered Member

SweX Registered Member

SweX Registered Member

Gullible Jones Registered Member

SweX Registered Member

Malcontent Registered Member

Dermot7 Registered Member

lotuseclat79 Registered Member

Gullible Jones Registered Member

siljaline Registered Member

Baserk Registered Member

siljaline Registered Member

Gullible Jones Registered Member

ronjor Global Moderator

siljaline Registered Member

siljaline Registered Member

Baserk Registered Member

SweX Registered Member

SweX Registered Member

Minimalist Registered Member

siljaline Registered Member

Log in or Sign up

An In-depth Analysis of Linux/Ebury

SweX Registered Member

SweX Registered Member

SweX Registered Member

Gullible Jones Registered Member

SweX Registered Member

Malcontent Registered Member

Dermot7 Registered Member

lotuseclat79 Registered Member

Gullible Jones Registered Member

siljaline Registered Member

Baserk Registered Member

siljaline Registered Member

Gullible Jones Registered Member

ronjor Global Moderator

siljaline Registered Member

siljaline Registered Member

Baserk Registered Member

SweX Registered Member

SweX Registered Member

Minimalist Registered Member

siljaline Registered Member

Useful Searches