Hunting Malware on Linux Production Servers: The Windigo Backstory

DerbyCon 4.0 - Family Rootz

Presented by: Oliver Bilodeau
Date: Friday September 26, 2014
Time: 19:30 - 19:55
Location: Stable Talks

Operation Windigo is a large server-side malware campaign that targets Unix systems (BSD- Linux- etc.). There are three major components: Linux/Ebury an OpenSSH backdoor and credential stealer- Linux/Cdorked a Web Server backdoor (it works with Apache- Nginx- Lighttpd) that redirects end-users to exploit kits- and Perl/Calfbot a spam sending daemon. The malicious operators control more than 25 000 compromised servers. Every day- they use this infrastructure to redirect more than 500 000 end-users to malicious content and send more than 35M spam messages.This talk will cover what we have done in order to investigate this operation. How we lured the operators into systems we own and observed them. The tools we have built and techniques we have used in order to eavesdrop their SSH and C&C SSL traffic and gather more information about the threats.We will also cover what we have found: the level of professionalism of the malicious actors. They are skilled and stealthy. We will cover their use of elaborate deployments scripts that checks for undocumented backdoors- disable security configuration and get a sense of how risky for them the server under attack is. We will also look at their various network evasion techniques and their use of non-persistent malware and proxies.Attend our talk to understand how traditional on-disk forensic isn’t sufficient to detect and investigate these types of threats. Learn to react to them by doing live system forensic with standard Linux utilities. As a bonus you will get an epic story of a year-long research on a malware battle happening on Internet-facing servers.

Oliver Bilodeau


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats