Is there a Windigo signature?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is there a Windigo signature?

Not applicable

Hi,

Is there a Windigo signature under another name, or some other way to detect a Windigo infection or infection attempt using the Threat detection feature or something else?

From what I've read only a host based intrusion detection system could actually see an infection, though the scanning and some of the vectors of attack like web may be detectable.

10,000 Linux servers hit by malware (ars technica) [LWN.net]

Thanks,

     Drew Daniels

3 REPLIES 3

L7 Applicator

I just checked our Threat Vault:

https://threatvault.paloaltonetworks.com/

And we do not have an entry for this.

I think that there were not just 1 or even a handful of vulnerabilities used in all of this.. but combinations of guessing passwords and using known vulnerabilities.

We cannot help against the password guessing, but we can continue to help guard against known threats and vulnerabilities.

Please let me know if this answers your question.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hi,

I also checked out the Threat Vault. I've now done a more thorough look and I don't see indications that most of the network based signatures are present.

A link of the article I give has some Snort signatures:

malware-ioc/windigo at master · eset/malware-ioc · GitHub lists:

  • Linux/Ebury
  • Linux/Cdorked
  • Linux/Onimiki
  • Perl/Calfbot

I don't see any of these listed either. At the end of that link it also mentions:

  • Win32/Glupteba.M
  • Win32/Boaxxe.G

Though Boaxxe is listed in the viruses section. Boaxxe.G isn't listed.

The white paper is at:

http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Thanks,

     Drew Daniels

Not applicable

Hi,

I also ran across this:

http://www.symantec.com/connect/blogs/25000-linux-and-unix-servers-compromised-operation-windigo

The paper lists three main malicious components (ESET detection names):

  • Linux/Ebury – an OpenSSH backdoor used to control servers and steal credentials
  • Linux/Cdorked – an HTTP backdoor used to redirect Web traffic
  • Perl/Calfbot – a Perl script used to send spam

[...]

Symantec customers are protected against malware used in Operation Windigo with the following signatures:

AV

IPS

On https://threatvault.paloaltonetworks.com/ I don't see anything related to ssh in Linux for Virus or Spyware. There's not much for SSH vulnerabilities that would hit except maybe brute force, and authentication informational. I see some "Tracur" signatures, but nothing that has "gen" in the name. dropper has too many hits to be able to figure out if it's the same one. I don't see any of the other parts of the signature sub-names (e.g. I searched for cdorked, Ebury, calfbot...) from this article.

Thanks,

     Drew Daniels

  • 2841 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!