Ebury has been active since 2009 and currently affects more than 400,000 Linux servers

ESET image showing the iterations between the Ebury perpetrators and a honeypot

Few days ago, ESET researchers published a publication in which they address the activities associated with “Ebury” rootkit. According to the report, Ebury has been active since 2009 and has infected more than 400,000 servers running Linux, as well as several hundred FreeBSD, OpenBSD and Solaris-based systems. ESET reports that at the end of 2023, there were still around 110,000 servers affected by Ebury.

This studio is particularly relevant due to the attack on kernel.org in which Ebury was involved, revealing new details regarding the infiltration of the Linux kernel development infrastructure in 2011. Additionally, Ebury has been detected on domain registration servers, crypto exchanges, Tor exit nodes, and several anonymous hosting providers.

Ten years ago we raised awareness about Ebury by publishing a white paper we called Operation Windigo, which documented a campaign that leveraged Linux malware for financial gain. Today we publish a follow-up article on how Ebury has evolved and the new malware families its operators are using to monetize their Linux server botnet.

Initially it was thought that the attackers that compromised kernel.org servers They remained undetected for 17 days. However, according to ESET, this period was calculated from the installation of the Phalanx rootkit.

But this was not the case, since Ebury, which was already present on the servers since 2009, and this allowed root access for about two years. Ebury and Phalanx were installed as part of different attacks carried out by different groups of attackers. The installation of the Ebury backdoor affected at least 4 servers in the kernel.org infrastructure, two of which were compromised and undetected for about two years and the other two for a period of 6 months.

It is mentioned that the Attackers managed to access the password hashes of 551 users stored in /etc/shadow, including kernel maintainers. These accounts They were used to access Git.

After the incident, changes were made to passwords and the access model was revised to incorporate digital signatures. Of the 257 affected users, the attackers managed to determine the passwords in clear text, probably by using hashes and intercepting passwords used in SSH by the Ebury malicious component.

The malicious component Ebury spread as a shared library which intercepted functions used in OpenSSH to establish remote connections to systems with root privileges. This attack did not specifically target kernel.org, and as a result, the affected servers became part of a botnet used to send spam, steal credentials for use on other systems, redirect web traffic, and carry out other malicious activities. .

The Ebury malware family itself has also been updated. The new major version update, 1.8, was first seen in late 2023. Among the updates are new obfuscation techniques, a new domain generation algorithm (DGA), and improvements to the user rootkit used by Ebury to hide from system administrators. When active, the process, file, socket, and even allocated memory (Figure 6) are hidden.

In order to infiltrate the servers, the Attackers exploited unpatched vulnerabilities in server software, such as failures in hosting panels and intercepted passwords.

In addition, it is presumed that the kernel.org servers were hacked after compromising the password of one of the users with access to the shell and vulnerabilities such as Dirty COW were used to escalate privileges.

It is mentioned that the most recent versions of Ebury, in addition to the backdoor, included additional modules for Apache httpd, allowing to send traffic through proxy, redirect users and intercept confidential information. They also had a kernel module to modify HTTP traffic in transit and tools to hide their own traffic from firewalls. Additionally, they included scripts to carry out Adversary-in-the-Middle (AitM) attacks, intercepting SSH credentials on hosting provider networks.

Finally, if you are interested in being able to know more about it, you can consult the details in the following link

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.