Linux-served porn sites may offer devs more than they bargained for after villains behind one of 2014's nastiest malware campaigns changed tactics to hit adult sites with stealthier wares.
The Windigo campaign was revealed in March 2014 to have over the previous two years infected 25,000 Unix and Linux servers, with some 10,000 under active control including kernel.org at the time.
Those numbers were smaller than those seen in other campaigns but potentially more damaging, given that servers were being compromised.
In a preview of the talk he will give at Linux.conf.au on Friday in Auckland, ESET malware analyst Olivier Bilodeau said the malware writers had infected porn sites after Windigo was outed.
"They were infecting anything with a good IP, but now they are infecting mostly porn sites.
"It's really stealthy because you are expecting to see pop-ups and banners and who reports issues to porn site? Who reports an exe download attempt? No one.
"Usually when they infect one server it affects thousands of users."
Potential victims were distinguished from administrators by looking for common admin activity and were then prompted to download exploit kits where further compromise could take place, or to dating sites for revenue generation.
the exploit kits use vary: attackers began with Flashblack, then moved to the infamous and since dead BlackHole kit, and are now foisting RIG.
The attack still relied on stolen credentials but had been re-jigged to infect victims at a steady rate rather than in more noticeable spikes.
Many of those unnamed targeted porn websites were smaller "specialised" sites which would have fewer security tools in place than larger smut-peddlers.
"We think they are interested in staying under the radar and making money, and not spreading too largely [because] law enforcement may be interested if there is a lot of victims," he said.
VXers do DevOps
Windigo developers have engaged in a cat-and-mouse with ESET since its outing, manipulating their malware as researchers updated techniques to identify and remove the infection.
They are now engaged in DevOps, a first for the malware scene according to ESET. "It is the first time we have seen these specific techniques used," Bilodeau said.
ESET has put out an open call for identification and removal instructions to curb the trend.
Malware writers used Bash and Perl scripts streamed through SSH rather than having them downloaded on a server meaning the code was never written on the server forcing ESET to man-in-the-middle the SSH protocol running on a Windigo-infected honeypot.
This was quite an effort for developers, he said.
The Perl script found wiped logs, examined installed patches, and security frameworks allowing it to target specific Linux installations.
Further statistical analysis was hindered by the absence of command and control servers and the changing nature of the threat meaning extrapolation into the number of victims was "more art than science".
Prevention is a more simple affair: use two-factor authentication. ®