Whether it is to send spam or to redirect web traffic to malicious payloads, compromised (
Linux
) web servers are the glue in many a malware campaign. Two such networks of compromised servers – about which
VB
has published papers in the past – have recently received updates.
The paper ‘Operation Windigo’ (
pdf
) was published by
ESET
in 2014 and looked at a cybercrime operation that used various
Linux
malware families, including the Ebury OpenSSH backdoor, which was used to access servers and steal credentials, and the Cdorked HTTP backdoor, which was used for web traffic redirection.
At VB2014, researchers from
ESET
in Canada and
Yandex
in Russia shared the stage to present a
paper
on these malware families, and at the same event, the authors of the Operation Windigo paper were the winners of the
first Péter Szőr award
.
The work the
ESET
researchers did on this group wasn’t merely technical though: they also assisted the FBI in an international operation against the conspirators behind the malware, which led to the arrest of one individual at the Finnish-Russian border in August 2015. The suspect was subsequently extradited to the United States where he pleaded guilty and was sentenced to 46 months in prison.
Despite this setback, the group is still active. Yesterday,
ESET
published a
blog post
highlighting various updates to the Ebury malware, which include self-hiding techniques and a domain generating algorithm (DGA) that signs DNS TXT records to mitigate possible attempts to sinkhole the botnet.
Various generations of penguins. Source:
Wikimedia commons
.
Also in 2014,
Virus Bulletin
published a
paper
by the same group of
Yandex
researchers, on the Mayhem botnet they had discovered. What made this botnet of
Linux
servers particularly noteworthy was the fact that it operated under restricted privileges and thus didn’t require root access on the infected machines. The clear separation of root and user accounts on
Linux
is often cited as a strong built-in defence against malware.
A
blog post
by
Sucuri
shows that the Mayhem botnet is still active and has updated itself, removing any traces of the
MAYHEM_DEBUG
server variable, while masquerading as a
jquery
library.
A combination of operating system hardening and security software for added protection has made both desktop and mobile operating systems more secure than ever. This has made
Linux
servers a relatively easy and rather attractive target for malware authors. It is thus unlikely that we have seen the end of such attacks.
Leave a Reply