03-20-2014 07:56 AM
Hi,
Is there a Windigo signature under another name, or some other way to detect a Windigo infection or infection attempt using the Threat detection feature or something else?
From what I've read only a host based intrusion detection system could actually see an infection, though the scanning and some of the vectors of attack like web may be detectable.
10,000 Linux servers hit by malware (ars technica) [LWN.net]
Thanks,
Drew Daniels
03-21-2014 08:21 AM
I just checked our Threat Vault:
https://threatvault.paloaltonetworks.com/
And we do not have an entry for this.
I think that there were not just 1 or even a handful of vulnerabilities used in all of this.. but combinations of guessing passwords and using known vulnerabilities.
We cannot help against the password guessing, but we can continue to help guard against known threats and vulnerabilities.
Please let me know if this answers your question.
03-25-2014 12:15 PM
Hi,
I also checked out the Threat Vault. I've now done a more thorough look and I don't see indications that most of the network based signatures are present.
A link of the article I give has some Snort signatures:
malware-ioc/windigo at master · eset/malware-ioc · GitHub lists:
I don't see any of these listed either. At the end of that link it also mentions:
Though Boaxxe is listed in the viruses section. Boaxxe.G isn't listed.
The white paper is at:
http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf
Thanks,
Drew Daniels
03-26-2014 11:15 AM
Hi,
I also ran across this:
http://www.symantec.com/connect/blogs/25000-linux-and-unix-servers-compromised-operation-windigo
The paper lists three main malicious components (ESET detection names):
[...]
Symantec customers are protected against malware used in Operation Windigo with the following signatures:
AV
IPS
On https://threatvault.paloaltonetworks.com/ I don't see anything related to ssh in Linux for Virus or Spyware. There's not much for SSH vulnerabilities that would hit except maybe brute force, and authentication informational. I see some "Tracur" signatures, but nothing that has "gen" in the name. dropper has too many hits to be able to figure out if it's the same one. I don't see any of the other parts of the signature sub-names (e.g. I searched for cdorked, Ebury, calfbot...) from this article.
Thanks,
Drew Daniels
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
