{ "id": "dbb57865-d021-48ea-b1ec-47c8c0edf2be", "created_at": "2026-04-06T00:18:13.828954Z", "updated_at": "2026-04-10T03:34:57.332478Z", "deleted_at": null, "sha1_hash": "1a62a822de00eba4e3feb79d471e2e74267b953c", "title": "Operation Windigo:", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66101, "plain_text": "Operation Windigo:\r\nBy Olivier Bilodeau\r\nArchived: 2026-04-05 22:50:03 UTC\r\nESET Research\r\nOperation Windigo: \"Good job, ESET!\" says malware author\r\nFollowing the recognition at Virus Bulletin 2014 of ESET’s research on Operation Windigo, I took the opportunity\r\nto ask Marc-Etienne Léveillé – who worked directly on the Operation Windigo report a few questions. Marc-Etienne is a malware researcher at ESET.\r\n15 Oct 2014  •  , 4 min. read\r\nFollowing the recognition at Virus Bulletin 2014 of ESET’s research on Operation Windigo, I took the opportunity\r\nto ask Marc-Etienne Léveillé – who worked directly on the Operation Windigo report a few questions. Marc-Etienne is a malware researcher at ESET. He is interested in reverse engineering Linux and OS X malware. He is\r\npassionate about making links between different malware to have an overall view of how they are interconnected.\r\nQuite some time has passed since you last spoke about the large Linux crimeware operation dubbed\r\nOperation Windigo. Has there been anything happening lately worth of mention?\r\nWe are still monitoring the Windigo gang. Unfortunately, we have not observed a decrease in their malicious\r\nactivities since the publication of the report in March 2014. We still measure and block the same amount of traffic\r\nbeing redirected from Cdorked websites. Moreover, the various pieces of malware have been updated to evade our\r\nindicators of compromise (IoC).\r\nWhat is the biggest challenge posed by threats like these to system administrators?\r\nWe have been notifying a lot of infected parties and I would say that the lack of Linux forensic knowledge is the\r\nmain problem for sysadmins. Windigo uses a lot of tricks to stay under the radar. Since it doesn’t interrupt the\r\naffected server’s legitimate activity, such a server could be infected for a very long time before the administrator\r\nnotices the infection. Some sysadmins may stay in denial and refused to believe their server is infected.\r\nWhat does the ESET research team do to raise the awareness of the issue?\r\nWe are trying to reach out to the security community to help sites with Internet-facing servers protect themselves\r\nagainst the Windigo threat, and against other general purpose Linux malware overall. An effective way to do so is\r\nto get the opportunity to speak directly to system administrators and security researchers who are front-line\r\ndefenders against such threats. That’s why we were so happy to present on the topic at DerbyCon and, in\r\ncollaboration with Yandex, at Virus Bulletin.\r\nIn the near future we will be presenting at the following conferences:\r\nhttps://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/\r\nPage 1 of 3\n\nLinuxCon Europe, October 15th\r\n, Düsseldorf, Germany\r\nSecTor, October 22nd, Toronto, Canada\r\nCSAW:Threads, November 13-14th, New York, USA\r\nconf.au, January 16th, Auckland, New Zealand\r\nIf your readers would like to know more about Operation Windigo or Linux malware reverse-engineering,\r\nforensics and incident response please come and talk to us.\r\nWhat kind of changes were introduced in the recent versions of the Linux/Ebury malware?\r\nThe authors of the Ebury malware react quite quickly to our publications. Within a month, we’ve seen a new\r\nversion of the malware evading our indicators of compromise. Here are a few of the most noticeable changes:\r\nThe version number has jumped to 1.5.1 (which is the latest version number that we’ve seen). We also saw\r\nversion 1.4.1 for the first time in April 2014. At the time we released the Operation Windigo report in\r\nMarch, the latest version observed had been 1.3.5.\r\nEbury no longer uses shared memory for storing stolen credentials and maintaining inter-process\r\ncommunication. Instead, a new process is started and injected with the Ebury payload with\r\nLD_PRELOAD. Stolen credentials are kept in this new process address space. Inter Process\r\nCommunication (IPC) with OpenSSH is initiated over a UNIX domain socket.\r\nThe domain name generator algorithm (DGA) used as a backup to exfiltrate credentials has changed. This\r\nbackup is used when it has not been configured by the operator.\r\nVersion 1.5 no longer infects the so file directly. The Ebury payload is located in a new file in the library\r\ndirectory with the filename libns2.so. The system’s original libkeyutils.so is then patched to link to this\r\nnew malicious library instead of libc.so.6. The Ebury code will then be loaded and hook OpenSSH.\r\nUsing this new information gleaned from our monitoring, CERT-Bund has updated its page with the Ebury IOCs.\r\nIn addition to the “Good job, ESET!” from the malware authors, your team has won the first Virus Bulletin\r\nPéter Szőr award for your report on Operation Windigo. How does that make you feel?\r\nThere were a lot of excellent papers on malware research this year and I would like to give credit and respect to\r\nthe other nominees and to all the researchers who have published great work in the last years.\r\nIn addition to what was said before, I would like to acknowledge that most of the co-authors and researchers\r\ninvolved in the Operation Windigo paper are newcomers to the anti-virus industry. For us, receiving an award like\r\nthis is much appreciated recognition from our peers and gives us confidence that we are heading in the right\r\ndirection.\r\nRecognition of ESET's work by malware authors\r\nhttps://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/\r\nPage 2 of 3\n\nOur first priority is to protect our customers against all threats, including new and emerging ones. As a researcher,\r\nit is great to be able to focus deeply on a specific threat like this one. Thanks to ESET's belief in proper research,\r\nwe were able to really do a deep investigation and protect our customers at the same time. We are really pleased it\r\nwas so well received by the press, our customers and Virus Bulletin.\r\nThanks Marc-Etienne for your time.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/\r\nhttps://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/" ], "report_names": [ "operation-windigo-good-job-eset-says-malware-author" ], "threat_actors": [ { "id": "1934b371-2525-4615-a90a-772182bc4184", "created_at": "2022-10-25T15:50:23.396576Z", "updated_at": "2026-04-10T02:00:05.341979Z", "deleted_at": null, "main_name": "Windigo", "aliases": [ "Windigo" ], "source_name": "MITRE:Windigo", "tools": [ "Ebury" ], "source_id": "MITRE", "reports": null }, { "id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d", "created_at": "2022-10-25T16:07:24.526179Z", "updated_at": "2026-04-10T02:00:05.023222Z", "deleted_at": null, "main_name": "Operation Windigo", "aliases": [ "G0124" ], "source_name": "ETDA:Operation Windigo", "tools": [ "CDorked", "CDorked.A", "Calfbot", "Ebury" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434693, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a62a822de00eba4e3feb79d471e2e74267b953c.pdf", "text": "https://archive.orkl.eu/1a62a822de00eba4e3feb79d471e2e74267b953c.txt", "img": "https://archive.orkl.eu/1a62a822de00eba4e3feb79d471e2e74267b953c.jpg" } }