ESET research team assists FBI in Windigo case 0 334

First detected in 2011, the malware campaign that later became known as Windigo was able to infiltrate around 25,000 servers over a two-year period (2012-2014), with the malicious gang behind it demonstrating a high level of technical expertise. Operation Windigo is a set of Linux server-side malware tools used to redirect web traffic, send spam and host other malicious content.

At the core of Operation Windigo is Linux/Ebury, an OpenSSH backdoor and credential stealer, using that backdoor, the attackers installed additional malware to perform web traffic redirection (using Linux/Cdorked), send spam (using Perl/Calfbot or SSH tunnels) and, most importantly, steal credentials when the OpenSSH client was used to spread further.

In 2014 ESET published a research report entitled Operation Windigo. This report was awarded the inaugural Péter Szőr Award for best technical research at VB2014 and has also been used by law enforcement to explain exactly what Windigo is to prosecutors, lawyers and judges.

ESET’s collaboration with the FBI

At ESET our job is to protect all internet users and this task often requires collaboration with others such as law enforcement. In the case of Windigo, we have collaborated with the FBI through the sharing of technical details about the malicious operation and the malware components involved. This cooperation resulted in allowing the FBI investigators to better understand the various parts of this very complex scheme.

Maxim Senakh sentenced

The following timeline outlines the occurence of events leading up to the sentencing of Maxim Senakh

  • 2015-01-13: Indictment against Maxim Senakh is produced, charging him with 11 counts.
  • 2015-08-08: Maxim Senakh is arrested by Finnish authorities at its border while returning to Russia after personal travel.
  • 2016-01-05: Finland agrees to the extradition of Senakh.
  • 2016-02-04: Senakh is extradited from Finland to the US, where he pleads not guilty to all charges against him.
  • 2017-03-28: Maxim Senakh enters into a plea agreement with the US Attorney’s Office and pleads guilty to the first count of the indictment, the remaining 10 being dismissed.
  • 2017-08-03: Senakh is sentenced to 46 months in federal prison, without the possibility of parole.

Where are we now?

Not long after Senakh’s arrest in 2015, there was a sharp decrease in the traffic redirected by Cdorked, the component responsible for sending web visitors to exploit kits or unwanted advertisement pages and this activity has not resumed. The FBI had determined that this malicious activity benefited Senakh directly.

Unfortunately, however the sentencing of Senakh has not resulted in the complete shutdown of Windigo as new variants of Win32/Glupteba, a Windows malware that has strong ties with Windigo have been identified.

In addition, the malware component at the core of Windigo, has evolved. Development has continued with changes made to the latest versions, such as evasion of most of the public indicators of compromise, improved precautions against botnet takeover and a new mechanism to hide the malicious files on the filesystem.

Previous ArticleNext Article

Coming to terms with cyber security nightmare 0 195

Teddy Njoroge

Last year internet security companies made forecasts about possible cyber-threats to really worry about this year. This we followed with measures that companies and individuals needed to take to ensure a cyber-safe 2018. Paramount among these was the need for proactive use of protective software tools as well as sensitisation and training of users about these threats.

True to predictions, 2018 started with a scenario hardly anyone could have foreseen. Two serious design vulnerabilities in Computer Central Processing Units (CPUs) were exposed that could enable cyber-criminals to steal sensitive or private information such as passwords, documents and photos among other data from unsecured devices.

The “Meltdown and Spectre” CPU vulnerabilities point to a much larger underlying issue. Software bugs and hardware bugs are more common than not, but these once identified can be fixed fairly easily with either a software patch or firmware update for hardware issues.

However, as it turns out this is not possible with these two vulnerabilities as they are caused by a design flaw in the hardware architecture, only fixable by replacing the actual hardware. And that is where the problems begin.

CPUs of affected manufacturers such as AMD, ARM, Intel, among others appear in a lot of Internet of Things (IoT) devices and which are scattered all over the globe.

According to ARM, they are already “securing” a trillion (1,000,000,000,000) devices. Granted, not all ARM CPUs are affected, but if even 0.1 per cent of them are, it still means a billion (1,000,000,000) affected devices.

Due to the huge costs involved, it is not feasible to replace all these faulty CPUs. In reality people will keep their existing devices until end of their life cycles, for years even.

Deployed for countless and diverse applications in the households or offices, once operational many owners have most likely forgotten that they have them and which inherently leaves a giant gap for cybercriminals to exploit.

Any Wi-Fi-controlled device such as refrigerator, digital picture frames, Smart TVs, DVRs and PVRs etc., potentially provides opportunity for sensitive data to be lost. For example, a compromised Wi-Fi password for any of these can make it possible for anyone to hack your home or office network thus giving automatic access to any other connected platform such as emails, social media pages and even shared cloud or archive platforms.

Even though to get access to your IoT device, a would be attacker needs to have compromised the internet network already, or even the applications running on the device, we know that cyber-criminals just like a pack of wolves will not relent after smelling blood.

As a warning, when you are buying a new IoT device, ensure to check which CPU it is running on, and if that CPU is affected by these vulnerabilities.

 

Meltdown and Spectre 0 300

 Microsoft released Security Advisory 18002 on Wednesday, January 3, 2018 to mitigate a major vulnerability to Windows in modern CPU architectures. ESET released Antivirus and Antispyware module 1533.3 the same day to all customers to ensure that use of our products would not affect compatibility with Microsoft’s patch.

The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel’s Core architecture used in PCs for many years, as well as processors from AMD, and even affecting ARM processors commonly used in tablets and smartphones.

The good news is that ESET can help protect against the types of malware that could take advantage of these vulnerabilities.

And, ESET was one of the very first security vendors to allow the Microsoft patch against the flaw to be enabled.

While ESET protects against potential malware infection, you should also take these steps to secure your computers and data:

  • Make sure your browser is up to date. For Chrome or Firefox users:
    • Mozilla has released information describing their response, including how Firefox 57 will address these security flaws.
    • Google has stated, “Chrome 64, due to be released January 23, will contain mitigations to protect against exploitation.” In the meantime, you can enable “Site Isolation” found in current stable versions of Chrome to provide better protection.
  • Make sure you update your ESET software, then update your Windows OS to protect against this exploit. To update ESET:
  • Customers should review ESET’s Knowledgebase article for important updates.
  • See this great collection of tips, articles and recommendations from the Google Project Zero team.
  • If you have a cloud-based server or have a website hosted by hosting provider, check to see what mitigations they have implemented already to prevent Meltdown.