In a previous post, we have seen that free operating systems are relatively safer than Windows or OSX based systems. But still, there are sporadic incidents of malrware/trojans/security vulnerability happening. After NSA revelations, the free software codes are reviewed strictly and lot of overlooked vulnerabilities are surfacing as in the case of GnuTLS (but it seems not many are actually affected due to it). Now security researchers have revealed that a widespread attempt is made to infect Linux/Unix servers.
This attack so far is targeted ONLY towards servers. But this is a crucial lesson for us to learn that, just running GNU/Linux or BSD or any other OS makes you secure by default. To be secure, you must spend time to make your system secure. At least install ClamAV immediately if you have not installed it already. Anyway, let us see how this Operation Windigo works.
Operation Windigo uses several different malwares to infect servers and hence they try to earn money by sending spams and redirect users to ad sites or making users to download trojans for further infection.
The following are the list of malwares and their role/behaviour involved in the operation.
Ebury is used to create a backdoor (illegal entry to your machine without your notice). It can also steal your SSH password.
Cdorked is also a backdoor provider. But it can also make end users to download malicious files.
Onimiki is used to redirect users to different IPs for a given URL pattern.
Calfb is a Perl based spam engine. It can send spam mails with malicious links to users.
Boaxxe.G and Glubeta.M are the files sent to Windows users so that their machines can be infected for causing further damage.
To quickly check if you are infected, open a terminal window and type the following.
$ ssh -G 2>&1 | grep -e illegal -e unknown
If there is an output, you are safe. If blank, you may be infected! To dig further, follow below steps.
$ su
Enter your password
# ipc -m
If you see any process attached to any user with full read/write permission for all users (666) and size greater than 3MB, it is a strong indicator of infection Ebury infection.
The above commands check for Ebury. The other malwares and their checking are not suitable for home users. As told earlier, chances are very slim to have this infection in your PC/laptop as the target is mainly servers. So far 25000 servers are compromised. That is very less compared to billions of infected Windows machines.
References:
1. http://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/
2. https://github.com/eset/malware-ioc/commit/b4c4a6d8a67b22693d04092b5962875b6d0fabeb
3. http://www.clamav.net/lang/en/
This attack so far is targeted ONLY towards servers. But this is a crucial lesson for us to learn that, just running GNU/Linux or BSD or any other OS makes you secure by default. To be secure, you must spend time to make your system secure. At least install ClamAV immediately if you have not installed it already. Anyway, let us see how this Operation Windigo works.
ClamTK in action |
Operation Windigo uses several different malwares to infect servers and hence they try to earn money by sending spams and redirect users to ad sites or making users to download trojans for further infection.
The following are the list of malwares and their role/behaviour involved in the operation.
Ebury is used to create a backdoor (illegal entry to your machine without your notice). It can also steal your SSH password.
Cdorked is also a backdoor provider. But it can also make end users to download malicious files.
Onimiki is used to redirect users to different IPs for a given URL pattern.
Calfb is a Perl based spam engine. It can send spam mails with malicious links to users.
Boaxxe.G and Glubeta.M are the files sent to Windows users so that their machines can be infected for causing further damage.
To quickly check if you are infected, open a terminal window and type the following.
$ ssh -G 2>&1 | grep -e illegal -e unknown
ssh -G showing "unkown option" in Fedora |
If there is an output, you are safe. If blank, you may be infected! To dig further, follow below steps.
$ su
Enter your password
# ipc -m
If you see any process attached to any user with full read/write permission for all users (666) and size greater than 3MB, it is a strong indicator of infection Ebury infection.
The above commands check for Ebury. The other malwares and their checking are not suitable for home users. As told earlier, chances are very slim to have this infection in your PC/laptop as the target is mainly servers. So far 25000 servers are compromised. That is very less compared to billions of infected Windows machines.
References:
1. http://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/
2. https://github.com/eset/malware-ioc/commit/b4c4a6d8a67b22693d04092b5962875b6d0fabeb
3. http://www.clamav.net/lang/en/
No comments:
Post a Comment