Want to keep the TNW Conference vibe going?? Tickets for TNW2022 are available now >>

The heart of tech

This article was published on March 18, 2014

    Operation Windigo: 10,000 infected Linux servers redirecting half a million visitors to malware every day

    Operation Windigo: 10,000 infected Linux servers redirecting half a million visitors to malware every day
    Emil Protalinski
    Story by

    Emil Protalinski

    Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, incl Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, TechSpot, ZDNet, and CNET. Stay in touch via Facebook, Twitter, and Google+.

    Security firm ESET today published a technical analysis on Linux/Ebury, an OpenSSH backdoor and credential stealer the company discovered last month. Over the last few weeks, thousands of victims have been notified that their servers were infected, and the details being released today are in an effort to raise further awareness. Dubbed Operation Windigo, the scheme runs on an infrastructure entirely hosted on compromised computers: 25,000 Linux servers in total over the last two years, with over 10,000 still infected today.

    The number is significant, as ESET points out, if you remember each of these systems has access to significant bandwidth, storage, computing power, and memory. The group behind the malware uses the infected systems to steal credentials, redirect Web traffic to malicious content, and send spam messages. The malware has had a particularly large impact in Germany, France, the UK, and the US.

    The infected servers are used to redirect half of a million Web visitors to malicious content on a daily basis, according to the security firm’s estimation. Furthermore, ESET believes the attackers are able to send more than 35,000,000 spam messages per day with the current infrastructure. Operating systems affected by the spam component include Linux, FreeBSD, OpenBSD, OS X, and Windows (with Perl running under Cygwin).

    ➤ Operation Windigo: The vivisection of a large Linux server-side credential stealing malware campaign | Whitepaper (PDF) | Indicators of Compromise (GitHub)

    Image Credit: George Crux