Published on January 13th, 2015 📆 | 2145 Views ⚑
0Hackers running Linux Operation Windigo are changing tactics targeting porn sites
iSpeech
Security Experts at ESET firm discovered that Windigo campaign is still active and that bad actors are changing their tactics to remain under the radar.
WindigoĀ is aĀ sophisticated malware-based campaign uncovered by security Experts at ESETĀ in March 2014, hackers behind the campaignĀ that exploited the Linux/Ebury backdoor compromising more than 500,000 computers and 25,000 dedicated servers. The OperationĀ Windigo hit popular entities, likeĀ theĀ Linux Foundation andĀ cPanel,Ā the hackers compromised aĀ wide range of operating systems, including AppleĀ OSĀ X, FreeBSD,Ā OpenBSD, Ā Microsoft Windows (through Cygwin) and Linux, including LinuxĀ on theĀ ARMĀ architecture.
[adsense size='1']
The campaign affected numerous countries including US, Germany, France, Italy, Great Britain, Netherlands, Russian Federation, Ukraine, Mexico and Canada.
Despite the number of infections is smaller than other campaigns, the Windigo operation could be considered high damaging given its compromise of servers and the level of sophistication of the malware.condidered high damaging given its compromise of servers and the level of sophistication of the malware.
ESET malware analyst Olivier Bilodeau has recently explained that bad actors behind Windigo are changing tactic infected porn websites after Windigo wasĀ detected by the security community.
[adsense size='1']
The attackers decided to hit content offering adult content because their wide audience, by compromising a single server that can affect thousands of users.
āThey were infecting anything with a good IP, but now they are infecting mostly porn sites,āĀ āItās really stealthy because you are expecting to see pop-ups and banners and who reports issues to porn site? Who reports an exe download attempt? Noone.ā āUsually when they infect one server it affects thousands of users.ā saidĀ Bilodeau.
The operators ofĀ Windigo campaignĀ were able to distinguish users from administrators by analyzing for common admin activity, chosen vitims were then redirected to malicious sites serving exploit kits or to dating sites for revenue generation.
The experts at ESET noticed that the attackers behind theĀ Windigo operation usedĀ different exploits kits, from Flashback to the BlackHole kit.Ā The infrastructures compromised by Windigo were used to steal SSH credentials, hijack Internet users to malicious websites and send spam.
The attackers behind the Operation Windigo donāt exploit zero-day against Linux or Unix systems, they exploit known weaknesses to build and recruit new machines for their botnets
It is very interesting to note that attackers are targetingĀ smaller āspecialisedā porn sites, instead great architectures, because they usually have fewer security defenses in place. The tactic allows the bad actors to remainĀ under the radar while they continue to monetize their efforts.
āWe think they are interested in staying under the radar and making money, and not spreading too largely [because] law enforcement may be interested if there is a lot of victims,ā Bilodeau told to The Register.
[adsense size='1']
Resuming, while ESET firm is discovering much more about theĀ WindigoĀ campaign, the malware author are trying to change tactics to deceive security experts, they are in fact trying to improve their malicious code in order to evade detection mechanisms.
The experts believe that crocks were now engaged in DevOps, malware coders used Bash and Perl scripts streamed through SSH rather than having them physically downloaded to a server. With this ploy, the code was never written on the targeted server, making difficult the investigation of ESET.
āIt is the first time we have seen these specific techniques used,ā he said.
The only way experts have to analyze the scripts is run <man-in-the-middle on SSH protocol running on a Windigo-infected honeypot. ESET researchers that analyzed the script discovered that that the attacker behind theĀ Windigo campaign targetedĀ specific Linux installations.
āFurther statistical analysis was hindered by the absence of command and control servers and the changing nature of the threat meaning extrapolation into the number of victims was āmore art than scienceā.ā statesĀ The Register.
Gloss