'Windigo' Malware Campaign Floods Internet with Spam, Porn

If you're seeing pop-up porn ads on your smartphone or sleazy dating ads on your Mac, or your PC's anti-virus software is blocking certain websites, Windigo may be to blame.

That's the name, a variant on the "Wendigo" known to readers of Marvel Comics, researchers from Slovak security firm ESET bestowed on a massive server-based malware campaign active since at least 2011.

MORE: Best PC Antivirus Software 2014

The criminals behind Windigo have used Linux/Ebury, a sophisticated Trojan horse that burrows deep into an operating system, steals login credentials and opens the door to other malware, to infect 25,000 servers worldwide.

ESET researchers said 10,000 servers are still infected, and 700 are actively distributing spam, ads and malware.

Thirty-five million spam email messages are sent each day by servers controlled by the Windigo gang, ESET said in a report released today (March 18). Windigo-controlled Web servers host malware that infects browsers on Windows PCs, displays risqué dating ads on Macs and redirects smartphone browsers to porn ads.

 All desktop browsers visiting infected Web servers are hijacked to display porn ads, and an estimated 500,000 Web visitors are redirected each day, the ESET team said.

"The number of systems affected by Operation Windigo might seem small when compared with recent malware outbreaks where millions of desktops are infected," the researchers said in their report. "It is important to keep in mind that, in this case, each infected system is a server. ... equipped with far more resources in terms of bandwidth, storage and computation power than normal personal computers."

Linux and UNIX servers are vulnerable, but so are any servers able to run UNIX commands, including those running FreeBSD, OpenBSD, OS X and even Windows with the Cygwin environment.

Server administrators can run a simple command to see whether their machines are infected: $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

Anyone who gets a "System infected" response should immediately change all administrator usernames and passwords, and consider reinstalling the operating system.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • jhansonxi
    From Ars Technica (http://arstechnica.com/security/2014/03/10000-linux-servers-hit-by-malware-serving-tsunami-of-spam-and-exploits/): "The Windigo campaign doesn't rely on technical vulnerabilities to take hold of servers, Eset said. Instead, it uses stolen credentials. That finding led the researchers to conclude password authentication to access servers is inadequate."IOW, no OS exploit. Just typical idiots setting up servers.
  • DA Dope
    Note that the "$" is not part of the test command. If you type "$ ssh..." you will get a false "system infected" response.
  • deksman
    1. Adblock2. HTTPS everywhere3. Do Not Track A 'must have' extensions for Chrome. I also use Microsof Security Essentials with 0 problems, and Free Malwarebytes as a backup just in case.