A widespread cybercriminal campaign that has seized control of over 25 000 Unix servers worldwide has been uncovered by security researchers at Eset, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing and other agencies.

The attack, which has been dubbed “Operation Windigo” by security experts, has resulted in infected servers sending out millions of spam e-mails. It is a complex knot of sophisticated malware components designed to hijack servers, infect the computers that visit them, and steal information.

Victims of “Operation Windigo” have included cPanel and kernel.org.

While some experts have spotted elements of the Windigo cybercriminal campaign, the sheer size and complexity of the operation has remained largely unrealised by the security community.

“Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10 000 servers under its control,” says Eset’s new business development director, Lee Bristow.

“Over 35-million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit Web sites that have been poisoned by Web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements.”

Interestingly, although Windigo-affected Web sites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content.

With more than 60% of the world’s Web sites are running on Linux servers, ESET researchers are calling on Web masters and system administrators to check their systems to see if they have been compromised.