Operation Windigo is a highly sophisticated attack, ever changing, linked to
command and control centers and comromising web servers serving up malicious
dns answers so that the victim is relayed through chains of compromised
servers, installing back doors (accessible through ssh and through http
headers) and spam bots. Because my case was evidenced in the same ways that
were reported back in 2014 or earlier, it may be that it was someone not
associated with the 'gang' that started it. I say that because it's reported
that every time an analysis about their operation was released, they quickly
altered their code to hide it from the testing tools that security
professionals had developed.
I mentioned a pdf at the end of my opening post. It is 69 pages and really
goes into detail. Any one who thinks Linux is very secure ought to read it. I
don't think it is secure enough by default. Below is an opening summary from
that document to wet your appetite.
(It appears that this statement was made around February, 2014)
'• The Windigo operation has been ongoing since at least 2011
• More than 25,000 unique servers have been compromised in the last two
years
• A wide range of operating system have been compromised by the
attackers; Apple OS X,
OpenBSD, FreeBSD, Microsoft Windows (through Cygwin) and Linux, including
Linux
on the ARM architecture
• Malicious modules used in Operation Windigo are designed to be
portable. The spam-sending
module has been seen running on all kinds of operating systems while the SSH
backdoor has been
witnessed both on Linux and FreeBSD servers
• Well known organizations including cPanel and Linux Foundation
(kernel.org) fell victim of this operation
• Windigo is responsible for sending an average of 35 million spam
messages on a daily basis
• More than 700 web servers are currently redirecting visitors to
malicious content
• Over half a million visitors to legitimate websites hosted on servers
compromised by Windigo
are being redirected to an exploit kit every day
• The success rate of exploitation of visiting computers is approximately
1%
• The malicious group favors stopping malicious activity over being
detected
• The quality of the various malware pieces is high: stealthy, portable,
sound cryptography
(session keys and nonces) and shows a deep knowledge of the Linux ecosystem
• The HTTP backdoor is portable to Apache’s httpd, Nginx and lighttpd
• The gang maximizes available server resources by running different
malware and activities
depending on the level of access they have
• No vulnerabilities were exploited on the Linux servers; only stolen
credentials were leveraged.
We conclude that password-authentication on servers should be a thing of the
past.'
The latest reporting I've been able to find about Windigo is from 2015 but in
my searching I've seen that there is an ever growing listing of exploits that
attack GNUlinux. One reason is the popularity of Android. These days people,
including hackers, can do almost all their computing on their phone.
Also, Jodiendo's post here fits right in:
https://trisquel.info/en/forum/hacker-news-twitter-dnschanger-malware-back. I
disabled the dns server on my routers which though commercial run some form
of linux I am sure.
Here's a quote from an interview with Linus Torvalds in the November, 2016
issue of Linux Pro Magazine:
"But, I have to say, some of those attack people are pretty smart people, and
clearly they are not all criminals; some of them work for the government."
Re the firmware issue, I need to install tails to fresh thumb drive and try
that.
