ESET research team assists FBI in Windigo case 0 890

First detected in 2011, the malware campaign that later became known as Windigo was able to infiltrate around 25,000 servers over a two-year period (2012-2014), with the malicious gang behind it demonstrating a high level of technical expertise. Operation Windigo is a set of Linux server-side malware tools used to redirect web traffic, send spam and host other malicious content.

At the core of Operation Windigo is Linux/Ebury, an OpenSSH backdoor and credential stealer, using that backdoor, the attackers installed additional malware to perform web traffic redirection (using Linux/Cdorked), send spam (using Perl/Calfbot or SSH tunnels) and, most importantly, steal credentials when the OpenSSH client was used to spread further.

In 2014 ESET published a research report entitled Operation Windigo. This report was awarded the inaugural Péter Szőr Award for best technical research at VB2014 and has also been used by law enforcement to explain exactly what Windigo is to prosecutors, lawyers and judges.

ESET’s collaboration with the FBI

At ESET our job is to protect all internet users and this task often requires collaboration with others such as law enforcement. In the case of Windigo, we have collaborated with the FBI through the sharing of technical details about the malicious operation and the malware components involved. This cooperation resulted in allowing the FBI investigators to better understand the various parts of this very complex scheme.

Maxim Senakh sentenced

The following timeline outlines the occurence of events leading up to the sentencing of Maxim Senakh

  • 2015-01-13: Indictment against Maxim Senakh is produced, charging him with 11 counts.
  • 2015-08-08: Maxim Senakh is arrested by Finnish authorities at its border while returning to Russia after personal travel.
  • 2016-01-05: Finland agrees to the extradition of Senakh.
  • 2016-02-04: Senakh is extradited from Finland to the US, where he pleads not guilty to all charges against him.
  • 2017-03-28: Maxim Senakh enters into a plea agreement with the US Attorney’s Office and pleads guilty to the first count of the indictment, the remaining 10 being dismissed.
  • 2017-08-03: Senakh is sentenced to 46 months in federal prison, without the possibility of parole.

Where are we now?

Not long after Senakh’s arrest in 2015, there was a sharp decrease in the traffic redirected by Cdorked, the component responsible for sending web visitors to exploit kits or unwanted advertisement pages and this activity has not resumed. The FBI had determined that this malicious activity benefited Senakh directly.

Unfortunately, however the sentencing of Senakh has not resulted in the complete shutdown of Windigo as new variants of Win32/Glupteba, a Windows malware that has strong ties with Windigo have been identified.

In addition, the malware component at the core of Windigo, has evolved. Development has continued with changes made to the latest versions, such as evasion of most of the public indicators of compromise, improved precautions against botnet takeover and a new mechanism to hide the malicious files on the filesystem.

Previous ArticleNext Article

Flaws in email encryption revealed 0 478

email encryption

A team of 8 academics have discovered weaknesses in OpenPGP and S/MIME encryption protocols which could lead to the plain text of encrypted emails being exposed to attackers. The academics have named these flaws “EFAIL”.

Insights from cryptography expert Bruce Schneier explained that “[t]he vulnerability isn’t with PGP or S/MIME itself, but in the way they interact with modern e-mail programs.”

To be able exploit the weaknesses, you would first need to access the end-to-end-encrypted email message. This could be by way of stealing it from a compromised account or by intercepting its path. Following this, the attacker would need to alter the email, adding a custom HTML code and then sending this new version onto the victim. The victim’s email client decrypts the email and is tricked by the malicious code into sending the full plaintext of the emails to the attackers. Even messages sent years ago are vulnerable.

The team said that their proof-of-concept exploit has been shown to be successful against 25 out of 35 tested S/MIME email clients and 10 out of 28 OpenPGP clients. The flaws affect email applications such as Apple Mail with the GPGTools encryption plug-in, Mozilla Thunderbird with the Enigmail plug-in, and Outlook with the Gpg4win encryption package. The academics said that, in keeping with the principles of responsible disclosure, they have reported their findings to all email providers concerned.

Time to change your Twitter password 0 623

Twitter Password

An internal bug exposed the passwords of an undisclosed number of the more than 330 million Twitter users.

Twitter CTO Parag Agrawal announced that it was a “bug that stored passwords unmasked in an internal log”. He went on to state “we have fixed the bug and our investigation shows no indication of breach or misuse”.

The Social Media platform are insisting that there is no sign of danger and that there is no reason to believe that the passwords were exposed outside of the organisation. However, they are still advising users to change their Twitter passwords and those of any other online service using the same password.

Some additional password tips from Twitter include enabling two-factor authentication and also using a password manager to create a strong and unique password for every individual online service.