Operation Windigo was one of the biggest operations against a criminal gang of this year - led by ESET with help from law enforcement and scientists from around the world, including Europe’s CERN (the organization behind the Large Hadron Collider). It highlighted a new, dangerous threat, where criminals target UNIX servers to redirect victims - and successfully took over thousands of servers and sites around the world.
Pierre-Marc Bureau, Security Intelligence Program Manager says, “The malicious gang is using these servers to send spam, redirect web traffic to malicious content, and steal more server credentials to widen their operation.” At its height, Windigo sent 35 million spam messages a day and redirected 500,000 web users to malicious sites. A detailed analysis of the malware and techniques used, and the ongoing battle against Windigo, can be found here, written by Bureau. ESET researcher Oliver Bilodeau chronicles the ongoing battle against Windigo here.
The victims often never knew they were infected. Even today ESET blocks thousands of redirects from infected servers - and this arduous research has thrown light on a new, sinister face of cybercrime.
ESET researchers have helped many companies identify and neutralize the infection, and this effort goes on today. Francois Gagnon, whose company was targeted, reveals what happened when this novel, emerging threat took hold of his large company.
Bureau says, “ESET has invested months of efforts to analyze, understand, and document Operation Windigo. At the peak of analysis activity, six researchers worked on the investigation. We are very proud of the current results and we continue to monitor the situation. All servers have not been cleaned and the malicious gang behind the operation is still in control of significant resources. There is still a lot of work to do!” Veteran security researcher, writer and We Live Security contributor Graham Cluley says that at one point half a million PCs were attacked a day. Most victims remained unaware.
Francois Gagnon, owner of a business whose servers in France and Canada fell victim for weeks, explains how a large business can fall prey - and not notice.
Were you aware that this sort of attack was possible?
Like most businesses of our size, we knew criminals 'sniffed around', but had never been the subject of a serious attack. To begin with, we didn't realize what it was. But this did not feel like something really offensive. It was running in the background pretty silently. No crash or anything happened. I think that's why it had infected so many servers before people started to react.
Did the nature of the attack surprise you?
One of the first things you learn in any form of hi-tech business is that anything is possible. But we knew from the start that Windigo was something different. It was subtle. No one stole our database - the first we heard was that suspicious behavior like random redirections in some websites were mentioned by some customers.
When did you realize that something very bad was happening?
We discovered that some of our servers were on Email Blacklists - used to pick out spammers. We knew that our system had sent spam. Our customers also mentioned that some of our sites - we have 2,000 - were randomly redirecting customers. It was customer complaints that helped us realize something was badly wrong. Some suspicious behaviors like random redirections in some websites were mentioned by some customers as well.
Just how ‘stealthy’ is this infection - how long did it take you to realize you were a victim?
I suppose we have been infected a few weeks before we realized what was going on.We pushed our investigation further and realized that most servers had been infected after we had opened tickets with cPanel. Their servers were infected and they infected our servers using SSH connections to us.
How did you react? Did you fear your business was under threat?
We rapidly went from not worrying to the worst worry of all - that it was an advanced threat, targeted specifically at us. We run a dozen servers and 2,000 sites. At the beginning we thought that it could be a targeted attack, but we quickly understood that many other businesses were running through the same issues. Plenty of people were talking about those strange behaviors on many forums.
Did you work closely with researchers on this - when did you realize that there were so many other victims?
We were quickly contacted by ESET and were told about how big this infection was and quickly started to work very closely with the research team. We cleaned infected servers but kept some intact for ESET's investigation. Marc-Etienne of ESET offered advice - clean the server and reinstall. It’s a harsh cure, but we did it. We have now cleaned almost all of our infected servers and re-installed. We worked closely with ESET’s team, and some servers were used to help the researchers understand the infection. We have now-reinstalled most of them.
Why were you targeted?
That is easy. We have a lot of servers, and many customers in France and Canada.
Why do you think your business was targeted?
Simply because we have many servers, and many customers in France and Canada. Thanks to the quick action of ESET, our company’s reputation was not damaged - we listened to our customers and acted. We did not suffer severe financial loss, either.
What are your feelings towards the gang behind this - and the companies still suffering?
This attack is big. Many web hosting companies were infected and didn’t even know what it was. They were told by cPanel to reinstall – and that was it. That was all the help we got. We were lucky. We worked closely with ESET, who helped put it right, and I hope we helped in turn with the Windigo project.
What is the status of your company now?
We are fully operational. We have always been cautious and took seriously any strange or suspicious behavior. If the government took these kind of attacks more seriously and invested more money to help companies such as ESET it may prevent some attacks.
An introduction to this long-running, complex malware campaign - whose perpetrators remain at large - is offered by Pierre-Marc Bureau in "Operation Windigo" here.
At his request, We Live Security used a fake name for our interviewee. The gang behind Windigo is still at large and reprisals are a possibility,