Hundreds of infected Linux servers in Australia

A mass compromise of Linux servers, used to steal credentials and redirect traffic to malicious content, has spread to Australia, security researchers have found.

Security firm ESET analysed [PDF] what it termed 'Operation Windigo', a global malware campaign that used a backdoor in OpenSSH, an open source version of the remote access interface Secure Sockets Shell used to administer servers.

Over the past two years, ESET says more than 25,000 servers were affected; of these, over 10,000 remain infected today, with hundreds located in Australia.

“We have seen more than 400 server infections related to Operation Windigo in Australia. This means that Australians have been exposed to an increased level of annoyance such as spam, advertisement and malware," ESET's security intelligence program manager Pierre-Marc Bureau told iTnews.

"Like everybody else, Australians are exchanging data with servers all over the globe when browsing websites and receiving emails, and so are potentially opening themselves up to other infected servers as well."

Overview of Windigo; source: ESET

The Windigo infestation campaign forms a large, complex network that builds supporting infrastructure using nginx reverse proxies, TinyDNS resolvers for domain name lookups, SSH tunnels for encrypted command and data communications and deployment of Windows-based malware in drive-by attacks on visitors to infected sites, ESET said.

While the operators behind Windigo were not named by ESET, the security vendor said  they have been active since 2011 at least.

The malware operators were able to compromise the Linux Foundation's kernel.org site, as well as the web hosting control panel company cPanel through the OpenSSH backdoor.

It's not just Linux servers that been compromised through the OpenSSH Ebury backdoor: ESET noted systems running Apple's OS X, OpenBSD, FreeBSD and Microsoft Windows through the Cygwin layer have all been abused by Windigo, albeit at a smaller scale.

Every day, over half a million visitors are being redirected to exploit kits after visiting websites running on infected servers, ESET said.

Windigo is also responsible for sending 35 million spam messages a day, according to ESET.

To prevent infection of systems, ESET suggested disabling root login through SSH along with passwords. SSH Agent Forwarding instead of copying over private keys to servers was also recommended, as was two-factor authentication.

Copyright © SC Magazine, Australia