https://live.paloaltonetworks.com/t5/general-topics/is-there-a-windigo-signature/m-p/31088#M22734 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I also checked out the Threat Vault. I've now done a more thorough look and I don't see indications that most of the network based signatures are present.</P><P></P><P>A link of the article I give has some Snort signatures:</P><P><A href="https://github.com/eset/malware-ioc/tree/master/windigo" title="https://github.com/eset/malware-ioc/tree/master/windigo">malware-ioc/windigo at master · eset/malware-ioc · GitHub</A> lists:</P><UL><LI>Linux/Ebury</LI><LI>Linux/Cdorked</LI><LI>Linux/Onimiki</LI><LI>Perl/Calfbot</LI></UL><P>I don't see any of these listed either. At the end of that link it also mentions:</P><UL><LI>Win32/Glupteba.M</LI><LI>Win32/Boaxxe.G</LI></UL><P>Though Boaxxe is listed in the viruses section. Boaxxe.G isn't listed.</P><P></P><P>The white paper is at:</P><P><A href="http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf">http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf</A></P><P></P><P>Thanks,</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Drew Daniels</P></BODY></HTML> Tue, 25 Mar 2014 19:15:37 GMT ddaniels 2014-03-25T19:15:37Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-windigo-signature/m-p/31086#M22732 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Is there a Windigo signature under another name, or some other way to detect a Windigo infection or infection attempt using the Threat detection feature or something else?</P><P></P><P>From what I've read only a host based intrusion detection system could actually see an infection, though the scanning and some of the vectors of attack like web may be detectable.</P><P></P><P><A href="http://lwn.net/Articles/590934/" title="http://lwn.net/Articles/590934/">10,000 Linux servers hit by malware (ars technica) [LWN.net]</A></P><P></P><P>Thanks,</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Drew Daniels</P></BODY></HTML> Thu, 20 Mar 2014 14:56:24 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-windigo-signature/m-p/31086#M22732 ddaniels 2014-03-20T14:56:24Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-windigo-signature/m-p/31087#M22733 <HTML><HEAD></HEAD><BODY><P>I just checked our Threat Vault:</P><P><A href="https://threatvault.paloaltonetworks.com/" title="https://threatvault.paloaltonetworks.com/">https://threatvault.paloaltonetworks.com/</A></P><P></P><P>And we do not have an entry for this.</P><P>I think that there were not just 1 or even a handful of vulnerabilities used in all of this.. but combinations of guessing passwords and using known vulnerabilities. </P><P>We cannot help against the password guessing, but we can continue to help guard against known threats and vulnerabilities.</P><P></P><P>Please let me know if this answers your question.</P></BODY></HTML> Fri, 21 Mar 2014 15:21:17 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-windigo-signature/m-p/31087#M22733 jdelio 2014-03-21T15:21:17Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-windigo-signature/m-p/31088#M22734 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I also checked out the Threat Vault. I've now done a more thorough look and I don't see indications that most of the network based signatures are present.</P><P></P><P>A link of the article I give has some Snort signatures:</P><P><A href="https://github.com/eset/malware-ioc/tree/master/windigo" title="https://github.com/eset/malware-ioc/tree/master/windigo">malware-ioc/windigo at master · eset/malware-ioc · GitHub</A> lists:</P><UL><LI>Linux/Ebury</LI><LI>Linux/Cdorked</LI><LI>Linux/Onimiki</LI><LI>Perl/Calfbot</LI></UL><P>I don't see any of these listed either. At the end of that link it also mentions:</P><UL><LI>Win32/Glupteba.M</LI><LI>Win32/Boaxxe.G</LI></UL><P>Though Boaxxe is listed in the viruses section. Boaxxe.G isn't listed.</P><P></P><P>The white paper is at:</P><P><A href="http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf">http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf</A></P><P></P><P>Thanks,</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Drew Daniels</P></BODY></HTML> Tue, 25 Mar 2014 19:15:37 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-windigo-signature/m-p/31088#M22734 ddaniels 2014-03-25T19:15:37Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-windigo-signature/m-p/31089#M22735 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I also ran across this:</P><P><A href="http://www.symantec.com/connect/blogs/25000-linux-and-unix-servers-compromised-operation-windigo" title="http://www.symantec.com/connect/blogs/25000-linux-and-unix-servers-compromised-operation-windigo">http://www.symantec.com/connect/blogs/25000-linux-and-unix-servers-compromised-operation-windigo</A></P><P>The paper lists three main malicious components (ESET detection names):</P><UL><LI>Linux/Ebury – an OpenSSH backdoor used to control servers and steal credentials</LI><LI>Linux/Cdorked – an HTTP backdoor used to redirect Web traffic</LI><LI>Perl/Calfbot – a Perl script used to send spam</LI></UL><P>[...]</P><P>Symantec customers are protected against malware used in Operation Windigo with the following signatures:</P><P><STRONG>AV</STRONG></P><UL><LI><A href="http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99">Backdoor.Trojan</A></LI><LI><A href="http://www.symantec.com/security_response/writeup.jsp?docid=2013-050214-5501-99">Linux.Cdorked</A></LI><LI><A href="http://www.symantec.com/security_response/writeup.jsp?docid=2013-022222-0208-99">Linux.SSHKit</A></LI><LI><A href="http://www.symantec.com/security_response/writeup.jsp?docid=2014-022816-2347-99">Linux.SSHKit!gen1</A></LI><LI><A href="http://www.symantec.com/security_response/writeup.jsp?docid=2002-082718-3007-99">Trojan.Dropper</A></LI><LI><A href="http://www.symantec.com/security_response/writeup.jsp?docid=2013-091911-2440-99">Trojan.Tracur!gen5</A></LI><LI><A href="http://www.symantec.com/security_response/writeup.jsp?docid=2014-031813-1030-99">Trojan.Tracur!gen8</A></LI></UL><P> <STRONG>IPS</STRONG> </P><UL><LI><A href="http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25732">System Infected: Festi Rootkit Activity</A></LI></UL><P></P><P>On <A href="https://threatvault.paloaltonetworks.com/" title="https://threatvault.paloaltonetworks.com/">https://threatvault.paloaltonetworks.com/</A> I don't see anything related to ssh in Linux for Virus or Spyware. There's not much for SSH vulnerabilities that would hit except maybe brute force, and authentication informational. I see some "Tracur" signatures, but nothing that has "gen" in the name. dropper has too many hits to be able to figure out if it's the same one. I don't see any of the other parts of the signature sub-names (e.g. I searched for cdorked, Ebury, calfbot...) from this article.</P><P></P><P>Thanks,</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Drew Daniels</P></BODY></HTML> Wed, 26 Mar 2014 18:15:01 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-windigo-signature/m-p/31089#M22735 ddaniels 2014-03-26T18:15:01Z