Windigo
Posted: February 12, 2015
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 8/10 |
---|---|
Infected PCs: | 89 |
First Seen: | February 12, 2015 |
---|---|
OS(es) Affected: | Windows |
Windigo is a sophisticated, multi-component threat that hijacks websites to redirect visitors to attacks, which can install Trojans capable of collecting information, creating backdoors or sending spam messages. Although the Windigo campaign typically targets Unix and Linux website servers, PC users of all prominent OSes are vulnerable to Windigo infections, whose campaign has been ongoing for the past four years. Removing Windigo modules from your PC or website should use qualified anti-malware tools, after which malware researchers would recommend changing compromised passwords immediately.
Feeling the Chill of a Trojan Wind
Project Windigo, named after a cannibalistic, flying monster of Native American mythology, is a broad collection of portable Trojans and related threats. This family is responsible for an estimated thirty-five million spam messages sent daily from infected computers, which number in the thousands. Infections by Windigo Trojans are modular in design and can easily install themselves by the same spam messages they deliver or replace with updated variants. Malware researchers have verified most operating systems as vulnerable to Windigo's payloads, even though Unix and Linux servers are the primary means of distributed, non-spam attacks.
Windigo's victims typically are compromised through one of the above spam messages, or through visiting a compromised website. Even legitimate organizations, such as the Linux Foundation and cPanel, have been victimized by these attacks, which automatically redirect traffic to the Windigo Trojan-installing exploit kits. Vulnerable browsers are forced to run scripts that install the Windigo's malware automatically. Although malware experts find the Rig Exploit Kit to be the one currently in use, other EKs also have been seen previously.
Notable consequences of Windigo infection for both website admins and ordinary PC users typically include the creation of backdoors and a variety of spyware attacks. The latter of these can gather passwords and other account information, thus enabling new attacks.
Forcing a Thaw on the Windigo Operation
Windigo shows signs of being maintained by competent coders with their long-term business viability kept firmly in mind. Compromised servers don't have threatening code written directly to them; instead, Windigo hijacks the SSH (or SecureShell) credentials to create its backdoor vulnerabilities. The different modules, such as Calfbot and Cdorked, are specialized for individual purposes and can easily be removed or replaced without harming the overall structure of the Windigo infection. Windigo's creators also have made recent modifications in response to proactive defenses from other security companies, and currently limit all Windigo-compromised servers to pornographic websites.
However, for all of its sophistication, Windigo continues to use many of the basic strategies that you can block with old, good security habits. Strict browser settings and updated software can evade many attacks that can strike through your Web browser. Website administrators also should update their servers' software routinely for closing vulnerabilities that the Operation Windigo could exploit. Also for admins, some basic system commands also can be used to identify a potentially infected server. Meanwhile, if you believe that your PC could be compromised, use anti-malware products to remove Windigo modules, and change all passwords associated with the system.
Windigo is an exceptionally long-lived campaign for malware. However, malware researchers see few signs of Windigo stopping or slowing down. To the contrary, its illicit behavior seems inclined towards preserving the future success of the Windigo botnet by minimizing their personal risk.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.