Home Malware Programs Botnets Windigo


Posted: February 12, 2015

Threat Metric

Threat Level: 8/10
Infected PCs: 89
First Seen: February 12, 2015
OS(es) Affected: Windows

Windigo is a sophisticated, multi-component threat that hijacks websites to redirect visitors to attacks, which can install Trojans capable of collecting information, creating backdoors or sending spam messages. Although the Windigo campaign typically targets Unix and Linux website servers, PC users of all prominent OSes are vulnerable to Windigo infections, whose campaign has been ongoing for the past four years. Removing Windigo modules from your PC or website should use qualified anti-malware tools, after which malware researchers would recommend changing compromised passwords immediately.

Feeling the Chill of a Trojan Wind

Project Windigo, named after a cannibalistic, flying monster of Native American mythology, is a broad collection of portable Trojans and related threats. This family is responsible for an estimated thirty-five million spam messages sent daily from infected computers, which number in the thousands. Infections by Windigo Trojans are modular in design and can easily install themselves by the same spam messages they deliver or replace with updated variants. Malware researchers have verified most operating systems as vulnerable to Windigo's payloads, even though Unix and Linux servers are the primary means of distributed, non-spam attacks.

Windigo's victims typically are compromised through one of the above spam messages, or through visiting a compromised website. Even legitimate organizations, such as the Linux Foundation and cPanel, have been victimized by these attacks, which automatically redirect traffic to the Windigo Trojan-installing exploit kits. Vulnerable browsers are forced to run scripts that install the Windigo's malware automatically. Although malware experts find the Rig Exploit Kit to be the one currently in use, other EKs also have been seen previously.

Notable consequences of Windigo infection for both website admins and ordinary PC users typically include the creation of backdoors and a variety of spyware attacks. The latter of these can gather passwords and other account information, thus enabling new attacks.

Forcing a Thaw on the Windigo Operation

Windigo shows signs of being maintained by competent coders with their long-term business viability kept firmly in mind. Compromised servers don't have threatening code written directly to them; instead, Windigo hijacks the SSH (or SecureShell) credentials to create its backdoor vulnerabilities. The different modules, such as Calfbot and Cdorked, are specialized for individual purposes and can easily be removed or replaced without harming the overall structure of the Windigo infection. Windigo's creators also have made recent modifications in response to proactive defenses from other security companies, and currently limit all Windigo-compromised servers to pornographic websites.

However, for all of its sophistication, Windigo continues to use many of the basic strategies that you can block with old, good security habits. Strict browser settings and updated software can evade many attacks that can strike through your Web browser. Website administrators also should update their servers' software routinely for closing vulnerabilities that the Operation Windigo could exploit. Also for admins, some basic system commands also can be used to identify a potentially infected server. Meanwhile, if you believe that your PC could be compromised, use anti-malware products to remove Windigo modules, and change all passwords associated with the system.

Windigo is an exceptionally long-lived campaign for malware. However, malware researchers see few signs of Windigo stopping or slowing down. To the contrary, its illicit behavior seems inclined towards preserving the future success of the Windigo botnet by minimizing their personal risk.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Windigo may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.