10,000 Linux and UNIX Servers Attacked With Malware

UNIX was once one of the most appealing operating systems on the market, thriving with latest security developments and features. However, the feud between UNIX and Linux has ended up positioning Linux on top and making UNIX a less recognizable name. Still, UNIX is viewed as being in the same high level of security protection as Linux, which makes it much safer to use in comparison to Windows.


However, UNIX users are at risk too. The proprietary nature of the technology means that updates come in the forms of patches when made available. Linux works quicker, with an open source code that allows for quick security updates. This means that not every vulnerability gets caught and sometimes it can take a while before they are noticed by UNIX.

This was seen recently when 10,000 servers were compromised as a result of a malware attack. Most interestingly, this attack has been around since 2011. It has even received the name ‘Operation Windigo’ to label the entire campaign of attacks using this particular approach.

It has caused over 25,000 servers to become compromised in the past two and a half years. This leads to in excess of 35,000,000 spam messages being pushed out each day. It also put end users that visited with a Windows system at risk due to the potential for drive-by attacks. Further, it served perfectly for the purpose of porn banner ads.

What Is The Outlook on the Windigo Campaign?

This particular form of malware attack was not immediately feared, but the repercussions of letting it go unnoticed or untreated are starting to become known. Researchers that have followed compromises to many Lighttpd, nginx, and Apache Web servers are claiming that the Windigo campaign could potentially affect the entire Internet.

They made an all too important claim. They stated that the Windigo campaign may have targeted less systems, but each of these systems is a server. So while it seems to dull in comparison to malware attacks that affect millions of computers, the amount of harm that can be done through a server is limitless.

Not only is there potential for direct attacks and compromising within the website, but the individual that has control over these servers can easily launch attacks using the servers instead of having to issue a botnet that relies solely on individual desktop computers.

The most concerning thing is where does the Windigo attack campaign go from here? If it continues to affect servers, more and more servers will be affected. Each server is equivalent to many individual desktop computers. Basically, the rate of which the number of affected people increases by will only become quicker and quicker.

What Are People Going to Do To Stop Windigo?

The most effective thing that anyone can do is to protect their server or website from putting its visitors at risk. An IT administrator can simply clear all the computers that were affected and then re-install the operating system and any needed software. To provide more enhanced protection for prevention purposes, using security measures like two-factor authentication would be a good idea.

An all too important thing to note is that password authentication within the server is something that is very outdated. There is no reason to still have a server login based on password protection – proper SSH key management or a second step towards protection, such as two-factor authentication, is absolutely essential.

This is easier said than done. An IT administrator has to first notice that their server has been compromised. However, many of the symptoms are pretty noticeable, such as the high level of spam messages that get created.

ESET issued a suggestion for determining whether your server is compromised by Windigo or not. All the administrator has to do is run this command:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

Please note that since this testing code is public, chances are high that malware developers will begin implementing a workaround to prevent future detection.

The Windigo Attack is Serious

It is important to emphasis how severe the Windigo malware attack campaign can be. To put it into retrospective, there are currently 25,000 affected servers that are compromised. As a result, more than half a million computers are attacked on a daily basis through the backdoor trojan virus.

ESET is an Internet security company that has long been logging the developments of Operation Windigo. ESET has been looking into the situation to find potential fixes and preventative approaches. However, nothing definitive has surfaced yet and the Windigo attack is still very capable of affecting other servers.

Quite possibly the most notable fact about the Windigo attack is that there is no way to relieve your server of the infection. It really does require you to wipe and re-install everything. This is not just a pain to do, but it could lead to further issues as well.

One thing that is becoming very relevant is that two-factor authentication may be a thing of the future for servers. After all, implementing this security technology may mean the difference between putting you and your visitors at risk of the Windigo attack.