Hunting Malware on Linux Production Servers - The Windigo Backstory

Explore the intricacies of hunting malware on Linux production servers in this comprehensive conference talk from DerbyCon 4. Delve into Operation Windigo, examining compromised infrastructure, expansion methods, and its advanced nature. Investigate the money trail and impact of this operation, including case expansions and out-of-band techniques. Analyze reconnaissance and deployment scripts, daily monitoring processes, and other script findings. Learn about network evasion tactics, including SSH tunnels, nginx reverse proxies, and IP-in-IP tunnels. Discover indicators of compromise and gain valuable insights into protecting Linux servers from sophisticated malware threats.

Hunting Malware on Linux Production Servers
What is Operation Windigo?
Compromised infrastructure
How does it expand?
Why advanced?
Money trail
Impact
Same crypto code
Case expansion
Going out-of-band
Devops operators?
Recon / Deployment scripts
Perl scripts
Eliminates evidence
Recon script (cont)
Deployment script (cont)
Daily monitoring script
Other scripts findings
The situation is
Protip
SUCCESS
Recap
Network evasion
SSH tunnels
nginx reverse proxies
nginx Cdorked config example
nginx Calfbot config example
What are IP in IP tunnels
Inside the tunnels
iptables
Indicators of Compromise
Closing words