| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
Operation Windigo is a large server,side malware campaign
that targets Unix systems (BSD, Linux, etc.). There are three
major components: Linux/Ebury an OpenSSH backdoor and
credential stealer, Linux/Cdorked a Web Server backdoor (it
works with Apache, Nginx, Lighttpd) that redirects end,users
to exploit kits, and Perl/Calfbot a spam sending daemon. The
malicious operators control more than 25 000 compromised
servers. Every day, they use this infrastructure to redirect
more than 500 000 end,users to malicious content and send
more than 35M spam messages.This talk will cover what
we have done in order to investigate this operation. How we
lured the operators into systems we own and observed them.
The tools we have built and techniques we have used in order
to eavesdrop their SSH and C&C SSL traffic and gather more
information about the threats.We will also cover what we have
found: the level of professionalism of the malicious actors.
They are skilled and stealthy. We will cover their use of
elaborate deployments scripts that checks for undocumented
backdoors, disable security configuration and get a sense of
how risky for them the server under attack is. We will also
look at their various network evasion techniques and their
use of non,persistent malware and proxies. Attend our talk to
understand how traditional on,disk forensic isn’t sufficient to
detect and investigate these types of threats. Learn to react
to them by doing live system forensic with standard Linux
utilities. As a bonus you will get an epic story of a year,long
research on a malware battle happening on Internet,facing
servers.
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast