MORE THAN 25,000 Linux and Unix servers were compromised over the last two years to steal Secure Shell (SSH) credentials, redirect web users to malicious content and send spam, security firm ESET has reported.
ESET said the servers were exploited as part of a large server-side credential stealing malware campaign named Operation Windigo, and has published a report about the campaign.
"The gang behind Operation Windigo uses infected systems to steal credentials, redirect web traffic to malicious content, and send spam messages," ESET said. "According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today."
These servers have all been compromised with the Linux/Ebury OpenSSH backdoor, ESET established, which the firm said is significant considering that each of the systems has access to significant bandwidth, storage, computing power and memory.
"Well known organizations such as cPanel and kernel.org were on the list of victims, although they have now cleaned their systems," ESET said on a blog post. It reported that the infected servers are used to redirect half a million web visitors to malicious content every day.
"Our research also shows that the attacker is able to send more than 35,000,000 spam messages per day with his current infrastructure. Operating systems affected by the spam component include Linux, FreeBSD, OpenBSD, OS X, and even Windows (with Perl running under Cygwin)," said ESET.
ESET said it chose the name "Windigo" for its North American first nation roots and for its references to a malevolent half-beast. It is working on dismantling the operation with help from the European Organization for Nuclear Research (CERN) and the Swedish National Infrastructure for Computing to form an international working group.
"With the help of the working group, thousands of victims have been notified that their servers were infected, in an effort to clean as many systems as possible. We are now releasing a complete white paper in hopes of raising awareness around Operation Windigo and motivating administrators to clean up their compromised servers," ESET said. µ
Speeds won't be throttled, but data usage will be capped
Apple means business
Attack saw 866 million credentials exposed
'Hundreds' of handsets at risk of SMS theft