Is there a Windigo signature?

Reply
Highlighted
Not applicable

Is there a Windigo signature?

Hi,

Is there a Windigo signature under another name, or some other way to detect a Windigo infection or infection attempt using the Threat detection feature or something else?

From what I've read only a host based intrusion detection system could actually see an infection, though the scanning and some of the vectors of attack like web may be detectable.

10,000 Linux servers hit by malware (ars technica) [LWN.net]

Thanks,

     Drew Daniels

Community Team Member

Re: Is there a Windigo signature?

I just checked our Threat Vault:

https://threatvault.paloaltonetworks.com/

And we do not have an entry for this.

I think that there were not just 1 or even a handful of vulnerabilities used in all of this.. but combinations of guessing passwords and using known vulnerabilities.

We cannot help against the password guessing, but we can continue to help guard against known threats and vulnerabilities.

Please let me know if this answers your question.

Stay Secure,
Joe
End of line
Not applicable

Re: Is there a Windigo signature?

Hi,

I also checked out the Threat Vault. I've now done a more thorough look and I don't see indications that most of the network based signatures are present.

A link of the article I give has some Snort signatures:

malware-ioc/windigo at master · eset/malware-ioc · GitHub lists:

  • Linux/Ebury
  • Linux/Cdorked
  • Linux/Onimiki
  • Perl/Calfbot

I don't see any of these listed either. At the end of that link it also mentions:

  • Win32/Glupteba.M
  • Win32/Boaxxe.G

Though Boaxxe is listed in the viruses section. Boaxxe.G isn't listed.

The white paper is at:

http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Thanks,

     Drew Daniels

Not applicable

Re: Is there a Windigo signature?

Hi,

I also ran across this:

http://www.symantec.com/connect/blogs/25000-linux-and-unix-servers-compromised-operation-windigo

The paper lists three main malicious components (ESET detection names):

  • Linux/Ebury – an OpenSSH backdoor used to control servers and steal credentials
  • Linux/Cdorked – an HTTP backdoor used to redirect Web traffic
  • Perl/Calfbot – a Perl script used to send spam

[...]

Symantec customers are protected against malware used in Operation Windigo with the following signatures:

AV

IPS

On https://threatvault.paloaltonetworks.com/ I don't see anything related to ssh in Linux for Virus or Spyware. There's not much for SSH vulnerabilities that would hit except maybe brute force, and authentication informational. I see some "Tracur" signatures, but nothing that has "gen" in the name. dropper has too many hits to be able to figure out if it's the same one. I don't see any of the other parts of the signature sub-names (e.g. I searched for cdorked, Ebury, calfbot...) from this article.

Thanks,

     Drew Daniels

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!