Time to Rethink Network Security
The Operation Windigo botnet has compromised 25,000 Unix servers spewing out 35 million spam emails every day.

A cybercriminal campaign dubbed Operation Windigo has seized control of 25,000 Unix servers attacking half a million computers daily.

60% of the world's websites are run on Unix servers meaning the potential threat posed by Windigo is huge, with the cybercriminals behind the operation having created a potent platform for the distribution of malware and spam emails.

Operation Windigo was uncovered by security researchers at ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing along with other agencies and has been operating under the radar for nearly three years.

Malware, ads and porn

The Windigo-affected websites typically serve malware to anyone visiting from a Windows PC while those using Apple's Mac OS X are served ads for dating sites while iPhone users are redirected to pornographic content.

"Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control," said ESET security researcher Marc-Étienne Léveillé.

"Over 35 million spam messages are being sent every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements."

Wipe and reinstall

Three out of every five websites are run on Unix servers meaning the potential threat is huge. ESET is calling on all website administrators to check if their servers have been infected, and if so to wipe the operating system and software and reinstall them, with fresh passwords and private keys, as the existing credentials must be considered compromised.

"We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks," explains Léveillé.