No Password Gets You 25,000 co-opted Linux servers drop malware and stolen credentials

(Michael Kassner @ IT Security) A new report details how 25,000 servers were compromised. The attacks would have failed if more than single-factor login (username/password) had been required. Security company ESET has released a new report, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This report was a joint research effort by ESET, CERT-Bund, SNIC and CERN. The key phrase in the report title is “server-side.”

Over the past two years, ESET has chronicled 25,000 malware-infected servers that have been instrumental in:

• Spam operations (averaging 35 million spam messages per day)
• Infecting site visitors’ computers via drive-by exploits
• Redirecting visitors to malicious website

The report talks about two well-known organizations that became victims of Windigo: "This operation has been ongoing since 2011 and has affected high-profile servers and companies, including cPanel and Linux Foundation’s kernel.org."

Single-factor logins make it easy

The Linux servers had a common thread — all were infected with Linux/Ebury, malware known to provide a root backdoor shell along with the ability to steal SSH credentials. The report also said, “No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.”

In a sense that helps explain the compromise, as Linux servers are for the most part bulletproof. 

Pierre-Marc Bureau

 So, how did attackers get root-access credentials, login, and ultimately install the malware?

For those answers, I enlisted the help of Pierre-Marc Bureau, security intelligence program manager for ESET. Bureau said all it takes is to compromise one server in a network, then it becomes easy. Once root is obtained, attackers install Linux/Ebury on the compromised server, and start harvesting SSH-login credentials.

With the additional login credentials, attackers explore to see what other servers can be compromised in that particular network.

This slide depicts the infection process:

Additional malware

As mentioned earlier, the infected servers are part of spam campaigns, redirect visitors to malicious websites, or download malware to the victim’s computer if it is vulnerable. In order to accomplish this, the attackers install additional malware on the servers, consisting of:

• Linux/Cdorked: Provides a backdoor shell and distributes Windows malware to end users via drive-by downloads
• Linux/Onimiki: Resolves domain names with a particular pattern to any IP address, without the need to change any server-side configuration

• Perl/Calfbot: A lightweight spam bot written in Perl

The victims

The report mentions there are two types of victims, the Linux/Unix server operators, and end-users who receive spam and or visit a website hosted by a compromised server. In that regard, ESET has determined that compromised servers try to download the following Windows malware:

• Win32/Boaxxe.G: A click fraud malware

• Win32/Glubteta.M: A generic proxy targeting Windows computers

Snort and Yara rules

ESET has worked up Snort and Yara rules that can be found at GitHub.