During the last half of March, news about a new Linux malware exploit lit up the IT newswires. It isn't taking long for details about the exploit to come forward, either. Estimates place the number of infected web servers at between 10,000 and 25,000.
The exploit, called Windigo, has been active since 2011. Some experts claim that it utilizes vulnerabilities on web servers to inject some malicious JavaScript into websites. That malicious code sends 35 million spam emails per day from the infected servers, and exposes Windows users to drive-by malware attacks. This is reported to have infested the Linux Foundation's kernel.org servers. There are also reports that users of Linux kernel 2.6.x are most vulnerable.
Instead of relying on technical vulnerabilities, Windigo uses stolen credentials to gain access to servers. If you run a web server, simple password authentication is inadequate, and administrators should rely on two-factor authentication.
Windigo is comprised of three separate attacks. The first one, known as Linux/Ebury, which creates an OpenSSH backdoor, through which credentials can be stolen and take control of the servers. The second one, known as Linux/Cdorked, is a HTTP backdoor that redirects visitors to malicious software exploits and fraudulent content. The third one, known as Perl/Calfbot, causes the infected machines to send spam.
If you run a web server and want to know if it is infected, run the following code at the command line:
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
If your server is infected, it's highly recommended that you completely reinstall the system, given how difficult this malware has been proven to remove. Also, it's recommended that you consider any currently used credentials compromised, and change them on the new installation.
If your server isn't yet infected, it's highly recommended that you update to the latest stable kernel that is available to you.
Lessons?
Certainly, we all can learn something by this latest attack. First, it emphasizes why you should never run your machine under the root account. Running under the root account, you expose yourself to any attacks, as rootkits and malware have an easy route to install themselves on your system. Second, keep your kernel updated to the latest version that runs on your computer hardware configuration. Running the latest kernel ensures that you have the latest security updates, plugging any "holes" where malware may gain entry. Third, avail yourself of some of the security tools that Linux provides, such as rkhunter, to seek out any rootkits that may try to infect your machine.
It's no doubt that Linux is infinitely more secure than Windows. That's something that every Linux user already knows. But no one, no where, can ever make an operating system that's 100% secure. There will always be vulnerabilities. I'm just happy that I run Linux, where viruses, malware, spyware and all the other types of "wares" are the exception, rather than the rule.
Until next month, I bid you peace, serenity, happiness, prosperity ... and security.
|