Backdoor, Malware, Spam – Windigo

In our Threat of the Week articles on the 13th of February and the 19thof December we have previously published advisories about Ransomware, a class of malware that uses encryption to restrict user access to files until a ransom is paid to the creator or source of the infection. You can all imagine how much trouble this can be… Researchers are reporting that they have uncovered another serious issue, a widespread malware campaign called Operation Windigo. In 2010/11 over 25000 Linux and Unix servers have been compromised – about half of these are still infected – by an OpenSSH Backdoor. These servers have been and are used for:

  • Redirecting Users to malicious and/or unwanted websites
  • Sending large amount of spam
  • Command & Control Communications
  • Credential stealing


The operation has been growing for 3-4 years now. ESET has released a detailed whitepaper about Windigo, the document can be found here: to the research the following are the 3 main components:

  • Linux/Ebury – OpenSSH backdoor, credential stealing
  • Linux/Cdorked – HTTP backdoor, traffic redirection
  • Perl/Calfbot – spam


What this means is that if you are running Linux servers, perhaps without your knowledge – hosted web servers for instance, you should be very vigilant and review your machines for badness. If you don’t, you may be an unwitting participant to serious malware abuse. Due to the fact that the malware campaign is using a number of different techniques to infect computers mainly for financial gain, it is very difficult to have a single solution that covers and protects against all of these. ITC can assist with deploying and managing technology to identify traffic to malicious websites. We integrate a number of technologies, managed under our NetSure360° platform, which can do:

  • Application layer inspection and URL filtering utilizing Palo Alto Next Generation firewalls
  • ForeScout Network Admission Control
  • HP ArcSight SIEM
  • Palo Alto Wildfire Zero-day Malware Detection


If you are an ITC NetSure360° customer, we already have a number of use cases that monitors traffic to malicious websites, administrative access and malware beaconing. We are also continuously developing content to recognize new threats on networks utilising log feeds from firewalls, IPS systems, Antivirus and more. If you would like to discuss any of these issues or anything at all about secure networking, please contact us on: 020 7517 3900 or email [email protected].