Malware Attack Infected 25,000 Linux/UNIX Servers

wiredmikey writes "Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present."

From the Article

From the Article

No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.
We conclude that password-authentication on servers should be a thing of the past

http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Nuff said.

Re:From the Article

[bvanheu]

What other fucking form of authentication is there? Certs? Those are just strings - like a password. Encrypted certs? What are you encrypting them with?

It all comes down to a secret someone has too know. Call it a key, a cert, a token, whatever, it's a fucking password at the end of the day.

If your auth'ing with a username / password on an infected server you're actually *sending* your credentials to the server. This is not he case wih a cert auth, especially when you use ssh-agent to hop to other servers.

You know *nothing* about security

[cbhacking]

Um, no, You're *FULL* of bullshit if you talk about certs that way. You obviously don't have a clue.

Key differences between public key auth ("certs") and password auth (no particular order):
1) You can re-use your public key with multiple sites and even if one of them is actively malicious, it doesn't help them break into the others. Not so with passwords.
2) Passwords, or at least verifiers for them, must be stored by all sites you use the password with. Public keys don't do an attacker any good at all even if they compromise a service on which you used the same credentials as their real target.
3) Public/Private keypairs are automatically generated by programs that filter the results for security. Passwords are often generated by people who don't know a thing about security (like some /. users I know...).
4) Passwords are short, intended to be remembered and typed. Asymmetric keys are long, meant to be transported as files (or certificate blobs). The former is vastly easier to brute force (an extremely strong password might take weeks on typical commodity hardware but most would only take minutes) than the latter (factoring some sub-1024-bit RSA public keys - weaker than any in serious use today - has been an open challenge for *years* and the best we've managed before required the resources of a university supercomputer working for weeks).
5) Public Key Infrastructure certificates include mechanisms like expiration and revocation. Passwords have no such protection and must be manually changed or reset in the event of a potential compromise.
6) Private keys can (and should be) protected with passwords, making them in effect a form of two-factor authentication (you HAVE the key, you KNOW its password). Passwords are a single factor.
7) A password gets much harder to use as its length increases, and the strength doesn't always increase as a factor of length because long passphrases are more likely to be generated with predictable rules to aid memorization. Public keys can be made thousands of times as strong without making them any less convenient for the user (aside from an increase in the one-time generation time, a slight increase in authentication time, and a bit more bandwidth used).
8) A password is, almost by definition, short enough to memorize or at least write down in a reasonable time. Very few humans could ever manage to memorize even a 1024-bit key pair; anything much stronger is right out. Calling it "a secret someone has too[sic] know" is simple idiocy.
9) Certificates can be used over unsecured connections (in fact, they're how we establish secure connections). Passwords sort-of can (SRP) but the typical usage of them requires a protected channel as an eavesdropper otherwise can steal your credentials, and SRP requires that the password be communicated to the server out-of-band (typically over a connection secured with public key crypto...)

Don't get me wrong, passwords have advantages (mostly in matters of convenience at a cost to security, but a secure system that is so inconvenient to use that nobody ever does so isn't any better than no system at all). I'm not saying we should do away with them. It was just painful to read the complete nonsense in your post, and I felt I had to set the record straight lest some other ignorant fool mistakenly believe you to know what you're talking about.