Security firm ESET today published a technical analysis on Linux/Ebury, an OpenSSH backdoor and credential stealer the company discovered last month. Over the last few weeks, thousands of victims have been notified that their servers were infected, and the details being released today are in an effort to raise further awareness. Dubbed Operation Windigo, the scheme runs on an infrastructure entirely hosted on compromised computers: 25,000 Linux servers in total over the last two years, with over 10,000 still infected today.
The number is significant, as ESET points out, if you remember each of these systems has access to significant bandwidth, storage, computing power, and memory. The group behind the malware uses the infected systems to steal credentials, redirect Web traffic to malicious content, and send spam messages. The malware has had a particularly large impact in Germany, France, the UK, and the US.
The infected servers are used to redirect half of a million Web visitors to malicious content on a daily basis, according to the security firm’s estimation. Furthermore, ESET believes the attackers are able to send more than 35,000,000 spam messages per day with the current infrastructure. Operating systems affected by the spam component include Linux, FreeBSD, OpenBSD, OS X, and Windows (with Perl running under Cygwin).
➤ Operation Windigo: The vivisection of a large Linux server-side credential stealing malware campaign | Whitepaper (PDF) | Indicators of Compromise (GitHub)
Image Credit: George Crux