What is Operation Windigo? And is it attacking you?
A widespread cybercriminal campaign has seized control of more than 25,000 Unix servers worldwide.
The extensive attack has been discovered by security researchers at IT security firm ESET, in collaboration with other agencies including CERT-Bund, the Swedish National Infrastructure for Computing.
The attack, which has been dubbed Operation Windigo, has resulted in infected servers sending out millions of spam emails. Its complex knot of sophisticated malware components is designed to hijack servers, infect the computers that visit them, and steal information. Victims of Operation Windigo have included cPanel and kernel.org.
ESET’s security research team has published a detailed technical paper, presenting the findings of the team’s investigations and malware analysis. The paper also provides guidance on how to find out if your systems are affected and instructions for removing the malicious code.
Operation Windigo: Gathering strength for more than three years
While some experts have spotted elements of the Windigo cybercriminal campaign, the sheer size and complexity of the operation has remained largely unrealised by the security community.
"Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control," said ESET security researcher Marc-Étienne Léveillé. "Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements."
Interestingly, although Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content.
An appeal to sysadmins to take action against Windigo
More than 60% of the world’s websites are running on Linux servers, and ESET researchers are calling on webmasters and system administrators to check their systems to see if they have been compromised.
"Webmasters and IT staff already have a lot of headaches and things on their mind, so we hate to add to their workload – but this is important. Everyone wants to be a good net citizen, and this is your chance to play your part and help protect other internet users," says Léveillé. "The last thing anyone should want is to be part of the problem, adding to the spread of malware and spam. A few minutes can make the difference, and ensure you are part of the solution."
Find out how to tell if you are being attacked…