Watch the stream
In 2014, we published a paper about Operation Windigo, where we described a cluster of server-side threats fuelled by Ebury, a backdoor and credential stealer injected into the OpenSSH server and client of compromised servers. That report shed light on web traffic redirections, delivery of Windows malware, and spam campaigns, all using Ebury-compromised servers.
After the arrest and extradition of one of the perpetrators in 2015, some of the monetization activities temporarily stopped, but not all of the botnet’s activities. Ebury continued to be updated and deployed to tens of thousands of servers each year, to reach a cumulative total of nearly 400,000 victims since 2009, the first year Ebury was seen. Moreover, we have discovered its operators have added more tools to their arsenal, such as Apache modules to exfiltrate HTTP requests or proxy traffic, Linux kernel modules to perform traffic redirections, and modified Netfilter tools to inject and hide firewall rules.
For this investigation we set up honeypots to collect Ebury samples and understand deployment tactics, and partnered with law enforcement. This gave us unique visibility into the perpetrators’ activities, which expanded to include cryptocurrency theft and possibly exfiltration of credit card details. We now have a better understanding of how they expand their botnet not only by stealing credentials, but also by actively trying to compromise the hosting provider’s infrastructure to deploy malware on all of the providers’ customer-rented servers. In some cases, this resulted in the compromise of tens of thousands of servers, hosting millions of domains.
The latest update to Ebury, versioned 1.8.2, was first seen in January 2024. In the past years, clever userland rootkit functionalities were added to Ebury, which make its detection a lot more difficult than before. From a system administrator’s perspective, not only is the malware file absent, but none of the resources it uses – such as processes, sockets, and mapped memory – are listed when inspecting the system.
This presentation not only reveals the latest toolset of the Ebury gang, but also discusses detection techniques to protect against some of the trickiest Linux threats. Some techniques are specific to Ebury, but most apply to the detection of any userland rootkit.