A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Hunting Malware on Linux Production Servers: The Windigo Backstory - Olivier Bilodeau Derbycon 2014 (Hacking Illustrated Series InfoSec Tutorial Videos)

Hunting Malware on Linux Production Servers: The Windigo Backstory
Olivier Bilodeau
Derbycon 2014

Operation Windigo is a large server,side malware campaign that targets Unix systems (BSD, Linux, etc.). There are three major components: Linux/Ebury an OpenSSH backdoor and credential stealer, Linux/Cdorked a Web Server backdoor (it works with Apache, Nginx, Lighttpd) that redirects end,users to exploit kits, and Perl/Calfbot a spam sending daemon. The malicious operators control more than 25 000 compromised servers. Every day, they use this infrastructure to redirect more than 500 000 end,users to malicious content and send more than 35M spam messages.This talk will cover what we have done in order to investigate this operation. How we lured the operators into systems we own and observed them. The tools we have built and techniques we have used in order to eavesdrop their SSH and C&C SSL traffic and gather more information about the threats.We will also cover what we have found: the level of professionalism of the malicious actors. They are skilled and stealthy. We will cover their use of elaborate deployments scripts that checks for undocumented backdoors, disable security configuration and get a sense of how risky for them the server under attack is. We will also look at their various network evasion techniques and their use of non,persistent malware and proxies. Attend our talk to understand how traditional on,disk forensic isn’t sufficient to detect and investigate these types of threats. Learn to react to them by doing live system forensic with standard Linux utilities. As a bonus you will get an epic story of a year,long research on a malware battle happening on Internet,facing servers.

Back to Derbycon 2014 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast