Jump to content

Malware coders adopt DevOps to target smut sites


steven36

Recommended Posts

Linux VXers are aiming below the belt

Porn sites may offer Linux devs more than they bargained for after villains behind one of 2014's nastiest malware campaigns changed tactics to hit adult sites with stealthier wares.

The Windigo campaign was revealed in March 2014 to have over the previous two years infected 25,000 Unix and Linux servers, with some 10,000 under active control including kernel.org at the time.

Those numbers were smaller than other campaigns but potentially more damaging given its compromise of servers and the complexities of the malware.

In a preview of the talk he will give at Linux.conf.au on Friday in Auckland, ESET malware analyst Olivier Bilodeau said the malware writers had infected porn sites after Windigo was outed.

"They were infecting anything with a good IP, but now they are infecting mostly porn sites,"

"It's really stealthy because you are expecting to see pop-ups and banners and who reports issues to porn site? Who reports an exe download attempt? Noone.

"Usually when they infect one server it affects thousands of users."

Potential victims were distinguished from administrators by looking for common admin activity and were then redirected to exploit kits where further compromise could take place, or to dating sites for revenue generation.

the exploit kits use vary: attackers began with Flashblack, before moving to the infamous and since dead BlackHole kit, and was now foisting RIG.

The attack still relied on stolen credentials but had been re-jigged to infect a steady rate of victims rather than more noticeable spikes.

Many of those unnamed targeted porn websites were smaller "specialised" sites which would have fewer security tools in place than larger smut-servers.

"We think they are interested in staying under the radar and making money, and not spreading too largely [because] law enforcement may be interested if there is a lot of victims," he said.

VXers do DevOps

Windigo developers have engaged in a cat-and-mouse with ESET since its outing, manipulating their malware as researchers updated techniques to identify and remove the infection.

Developers not at Linux.conf were now asked to email ESET for identification and removal instructions to curb the trend.

They were now engaged in DevOps in what ESET thought was a first for the malware scene. "It is the first time we have seen these specific techniques used," he said.

Malware writers used Bash and Perl scripts streamed through SSH rather than having them downloaded on a server meaning the code was never written on the server forcing ESET to man-in-the-middle the SSH protocol running on a Windigo-infected honeypot.

This was quite an effort for developers, he said.

The Perl script found wiped logs, examined installed patches, and security frameworks allowing it to target specific Linux installations.

Further statistical analysis was hindered by the absence of command and control servers and the changing nature of the threat meaning extrapolation into the number of victims was "more art than science".

Prevention is a more simple affair: use two factor authentication. ®

Source

Link to comment
Share on other sites


  • Views 747
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...