'Windigo' Malware Campaign Floods Internet with Spam, Porn
If you're seeing pop-up porn ads on your smartphone or sleazy dating ads on your Mac, or your PC's anti-virus software is blocking certain websites, Windigo may be to blame.
That's the name, a variant on the "Wendigo" known to readers of Marvel Comics, researchers from Slovak security firm ESET bestowed on a massive server-based malware campaign active since at least 2011.
The criminals behind Windigo have used Linux/Ebury, a sophisticated Trojan horse that burrows deep into an operating system, steals login credentials and opens the door to other malware, to infect 25,000 servers worldwide.
ESET researchers said 10,000 servers are still infected, and 700 are actively distributing spam, ads and malware.
Thirty-five million spam email messages are sent each day by servers controlled by the Windigo gang, ESET said in a report released today (March 18). Windigo-controlled Web servers host malware that infects browsers on Windows PCs, displays risqué dating ads on Macs and redirects smartphone browsers to porn ads.
All desktop browsers visiting infected Web servers are hijacked to display porn ads, and an estimated 500,000 Web visitors are redirected each day, the ESET team said.
"The number of systems affected by Operation Windigo might seem small when compared with recent malware outbreaks where millions of desktops are infected," the researchers said in their report. "It is important to keep in mind that, in this case, each infected system is a server. ... equipped with far more resources in terms of bandwidth, storage and computation power than normal personal computers."
Linux and UNIX servers are vulnerable, but so are any servers able to run UNIX commands, including those running FreeBSD, OpenBSD, OS X and even Windows with the Cygwin environment.
Server administrators can run a simple command to see whether their machines are infected: $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
Anyone who gets a "System infected" response should immediately change all administrator usernames and passwords, and consider reinstalling the operating system.