Is there a Windigo signature under another name, or some other way to detect a Windigo infection or infection attempt using the Threat detection feature or something else?
From what I've read only a host based intrusion detection system could actually see an infection, though the scanning and some of the vectors of attack like web may be detectable.
I just checked our Threat Vault:
And we do not have an entry for this.
I think that there were not just 1 or even a handful of vulnerabilities used in all of this.. but combinations of guessing passwords and using known vulnerabilities.
We cannot help against the password guessing, but we can continue to help guard against known threats and vulnerabilities.
Please let me know if this answers your question.
I also checked out the Threat Vault. I've now done a more thorough look and I don't see indications that most of the network based signatures are present.
A link of the article I give has some Snort signatures:
I don't see any of these listed either. At the end of that link it also mentions:
Though Boaxxe is listed in the viruses section. Boaxxe.G isn't listed.
The white paper is at:
I also ran across this:
The paper lists three main malicious components (ESET detection names):
Symantec customers are protected against malware used in Operation Windigo with the following signatures:
On https://threatvault.paloaltonetworks.com/ I don't see anything related to ssh in Linux for Virus or Spyware. There's not much for SSH vulnerabilities that would hit except maybe brute force, and authentication informational. I see some "Tracur" signatures, but nothing that has "gen" in the name. dropper has too many hits to be able to figure out if it's the same one. I don't see any of the other parts of the signature sub-names (e.g. I searched for cdorked, Ebury, calfbot...) from this article.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!