Should desktop users of Ubuntu (and other Linux distros) be concerned about the malware-infection drive described as "Operation Windigo"?
What threat does it pose to us immediately and are there any longer term ramifications?
Just reread the question. If you're on an install without SSH or your SSH server is not available online (eg it is blocked by a NAT router, et al), you have nothing to fear from this news. The whole attack requires SSH.
Additionally, if you're not running a webserver (and by extension you're not on an awesome internet connection), it seems unlikely —though, and importantly, not impossible— that Windigo is going to bother you, even if you do have an exposed SSH server.
That's not to say you're free from any risk. There is other malware and there will be even more as time goes on and Ubuntu gains users. It's also stupidly easy to manipulate people. I had a little rant a few years ago: Linux isn't invulnerable. Don't say it is.
Anyway, if you're still reading, I'm going to assume you're running a SSH server on the internet.
The ESET post and PDF writeup on "Operation Windigo" should tell you everything you need in order to tell if you're at risk or are currently infected. They have sample code that can be copied out and run to test your system.
The whole thing is certainly worth a read but this isn't the security apocalypse some might suggest. The primary route by which these servers became infected was human idiocy:
No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged. We conclude that password-authentication on servers should be a thing of the past
So for all the fanfare, this is a very basic infection technique. They're either cracking passwords (dictionary-attacks most likely) or they're stealing SSH keys off client computers, backups, etc. I'd like to think it's the first.
There is nothing clever or new about this. Everybody running a SSH server faces those risks and they're really easy to protect against. Just practise basic SSH security and you'll be fine: use password protected keys and not passwords, run sshd on a high port, fail2ban, no root user. If you ignore these basics and run a SSH server where you're allowing root logins with a password, you'll get hacked.
And just because this wasn't an exploit-based infection doesn't mean the next one won't be. Staying up to date with security-release packages is vital. Make it automatic. Making sure your PHP (et al) scripts are updated is vital, subscribe to your authors' RSS feeds.
The significance of Windigo is the sophistication and portability of the rootkit that gets installed on the servers. There is network resilience through dynamic DNS, not static IPs, multiple httpd configurations to maximise success rates, the lack of dependencies in this whole stack that makes it almost certain to run in all scenarios (even on ARM)... and by all accounts the payloads (the spam, and infection kits for client computers) are very effective. 1% success is epic when you're talking about 500K a day.
The "this is happening on Linux so Linux is insecure" inference I can see in some quarters is nonsense. This could happen on any platform and frankly, it already does. What is special here is that this has been pulled together by competent developers. Thankfully the ingress point is pretty much as simple as a burglar finding the spare key under the doormat.
It seems the hacked servers were run by idiots with weak security but don't be complacent. Check to see if your servers are infected and check to see you're not making the same stupid mistakes as the people who are currently infected.
