Some antivirus products detect the virus but most do not.
Web server system administrators should be aware that several pieces of Linux malware such as the rootkit known as Ebury SSH are part of an operation, which has infected approximately 25,000 web servers over the past two years, according to The Whir who reported about it on March 19. Administrators are strongly urged to check their web servers for Ebury SSH, which is being used as a key part of a larger and more sophisticated malware operation called “Windigo.” Windigo redirects web traffic through tools HTTP backdoor Linux/Cdorked and uses a Perl script, Perl/Calfbot, to send spam.
Since at least 2011, Windigo has compromised a wide range of operating systems including Linux (and Linux on the ARM architecture), Microsoft Windows (through Cygwin), FreeBSD, OpenBSD and Apple OS X. According to CERT-Bund, a German government research agency, Ebury is a Secure Shell rootkit/backdoor trojan for Unix and Linux-style OS. Attackers can use a backdoor Ebury provides to get a remote root shell on infected hosts, says CERT-Bund.
SSH login credentials are stolen using Ebury from incoming and outgoing SSH connections. Ebury compromised systems are infected at the root-level. Rather than trying to clean it up they are best dealt with by reinstalling the entire operating system. Some antivirus products, generally as ‘Sshdkit’ or ‘SSHDoor’ are capable of detecting Ebury but ClamAV and tools such as rkhunter and chkrootkit presently do not detect Ebury.
Both Windows end-users and Linux/Unix server operators whose servers were compromised may be victims of Windigo when users visit legitimate websites hosted on compromised servers, ESET notes. Over 700 web servers are presently redirecting visitors to malicious content and 35 million spam messages on average are sent per day, courtesy of Windigo. Using web hosting coupons can help when this happens.