Unix botnet Operation Windigo steals your credentials and sends tons of spam


A security research team has discovered a long-standing Unix botnet which has generated a massive amount of malware in recent years. Dubbed “Operation Windigo,” the botnet was discovered and reported by antivirus software-maker ESET, working with an international task force consisting of the German Computer Emergency Response Team, or CERT-BUND, and the Swedish National Infrastructure for Computing, among others. As malware goes, Windigo operates a bit like a Swiss Army knife, doing everything from redirecting traffic to compromised sites, to sending millions of spam emails every day for at least two and a half years.

According to ESERT, Windigo allegedly hijacked 25,000 UNIX servers using a Trojan, stealing credentials and data from its targets. ESET Security Researcher Marc-Étienne Léveillé says that Windigo attacks more than 500,000 targets per day.


To make matters worse, Windigo takes different forms depending on what OS you’re using. When Windigo attacks Windows PCs, they attempt to swipe the target’s data using an exploit kit, while Mac users get hit with popups for dating sites.

How to Check if Your Server is Infected by the Operation Windigo Botnet

There’s a way to fight back though. ESET says that Unix system admins can identify whether or not a their server is infected by Windigo by using the command below.

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

If the system is infected, ESET recommends you wipe the machine, re-install the OS, and change all of the passwords used with that system.

“We realise that wiping your server and starting again from scratch is tough medicine,” says Léveillé, “but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks.”