ESET identified 21 malicious packages that replace OpenSSH

ESET Linux

ESET recently made a post (53 page PDF) where it shows the results of a scan of some Trojan packages that hackers were installed after compromising Linux hosts.

This cin order to leave a back door or intercept user passwords while connecting to other hosts.

All considered variants of the Trojan software replaced OpenSSH client or server process components.

About detected packets

Our 18 options identified included functions to intercept entry passwords and encryption keys and 17 provided backdoor functions that allow an attacker to secretly gain access to a hacked host using a predefined password.

In addition, lResearchers discovered that an SSH backdoor used by DarkLeech operators is the same as the one used by Carbanak a few years later and that threat actors had developed a wide spectrum of complexity in backdoor implementations, from malicious programs available to the public. Network protocols and samples.

How was this possible?

Malicious components were deployed after a successful attack on the system; as a rule, attackers gained access through typical password selection or by exploiting unpatched vulnerabilities in web applications or server drivers, after which outdated systems used attacks to increase their privileges.

The identification history of these malicious programs deserves attention.

In the process of analyzing the Windigo botnet, the researchers paid attention to the code to replace ssh with Ebury backdoor, which prior to launch, verified the installation of other backdoors for OpenSSH.

To identify competing Trojans, a list of 40 checklists was used.

Using these functions, ESET representatives found that many of them did not cover previously known back doors and then they started looking for the missing instances, including by deploying a network of vulnerable honeypot servers.

As a result, 21 Trojan package variants identified as replacing SSH, which remain relevant in recent years.


What do ESET staff argue on the matter?

The ESET researchers admitted that they did not discover these spreads first-hand. That honor goes to the creators of another Linux malware called Windigo (aka Ebury).

ESET says that while analyzing the Windigo botnet and its central Ebury backdoor, they found that Ebury had an internal mechanism that looked for other locally installed OpenSSH backdoors.

The way the Windigo team did this, ESET said, was by using a Perl script that scanned 40 file signatures (hashes).

"When we examined these signatures, we quickly realized that we had no samples that matched most of the back doors described in the script," said Marc-Etienne M. Léveillé, ESET malware analyst.

"The malware operators actually had more knowledge and visibility of SSH backdoors than we did," he added.

The report does not go into detail on how botnet operators plant these OpenSSH versions on infected hosts.

But if we've learned anything from previous reports on Linux malware operations, it's that Hackers often rely on the same old techniques to gain a foothold on Linux systems:

Brute force or dictionary attacks that try to guess SSH passwords. Using strong or unique passwords or an IP filtering system for SSH logins should prevent these types of attacks.

Exploitation of vulnerabilities in applications that run on the Linux server (for example, web applications, CMS, etc.).

If the application / service has been misconfigured with root access or if the attacker exploits a privilege escalation flaw, a common initial flaw of outdated WordPress plugins can easily be escalated to the underlying operating system.

Keeping everything up to date, both the operating system and the applications that run on it should prevent this type of attack.

Se they prepared a script and rules for antivirus and a dynamic table with characteristics of each type of SSH Trojans.

Affected files on Linux

As well as additional files created in the system and passwords for access through the back door, to identify the OpenSSH components that have been replaced.

For example, in some cases, files such as those used to record intercepted passwords:

  • "/Usr/include/sn.h",
  • "/Usr/lib/mozilla/extensions/mozzlia.ini",
  • "/Usr/local/share/man/man1/Openssh.1",
  • "/ Etc / ssh / ssh_known_hosts2",
  • "/Usr/share/boot.sync",
  • "/Usr/lib/",
  • "/Usr/lib/libcurl.a.2.1",
  • "/ Var / log / utmp",
  • "/Usr/share/man/man5/ttyl.5.gz",
  • "/Usr/share/man/man0/.cache",
  • "/Var/tmp/.pipe.sock",
  • "/Etc/ssh/.sshd_auth",
  • "/Usr/include/X11/sessmgr/",
  • «/ Etc / gshadow–«,
  • "/Etc/X11/.pr"

The content of the article adheres to our principles of editorial ethics. To report an error click here.

2 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   nickd89 said

    interesting article
    search one by one in directories and found one
    "/ Etc / gshadow–",
    what will happen if i delete it

  2.   George said

    That "gshadow" file also appears to me and asks for root permissions to analyze it ...