A team of security researchers from ESET in collaboration with German CERT -Bund and the Swedish NCIS showed an attack on 25,000 UNIX and Linux servers for 3 years at least . Named Windigo in reference to Wendigo , an evil cannibalistic creature of American Indian folklore, this malware comes in the form of a Trojan.
More than 35 million spams are sent every day to innocent users threatening the security of their computer. On the other hand , every day, more than half a million computers are threatened by visiting a website whose server is infected. The user is then redirected to malware or publicity .
The peculiarity of this infection, also be installed on UNIX or Linux servers is that it does not react the same way to a computer running Windows visiting an infected site or a Mac, or even a iPhone . In Windows , Windigo , attempts to install malware via an exploit kit. For MAC OS users , Windigo displays ads dating sites and iPhone owners are redirected to pornographic content.
This malware uses a backdoor Linux / Ebury OpenSSH combining with other malware.
Windigo would consist of three main components which are :
– Linux / Ebury – a backdoor in OpenSSH that allows to maintain control and steal credentials ,
– Linux / Cdorked – a backdoor HTTP redirect web traffic ,
– Perl / Calfbot – a Perl script used to generate spam.
Researchers ESET recommends that system administrators and webmasters UNIX execute the following command to verify the integrity of their system :
ssh- L 2 1 | grep -e -e illegal unknown / dev / null echo “System clean” | | echo ” System infected ”