Security Experts:

SSH Backdoor Linked to Linux Rootkits

Last November, SecurityWeek reported about the discovery of a rootkit on Linux that was injecting malicious iFrames into websites. The module, recognized by experts as a unique piece of malware, has been linked to the discovery of SSH implementations with backdoors.

Weeks after the rootkit was discovered, additional research linked the malicious Apache module to hijacked Web content. Although the Linux-based malware was designed to serve practically any type of content, researchers at ESET said it was pushing a variant of the Zbot (Zeus) family of banking Trojans. Making matters worse, the malware was being deployed within crime kits.

Linux Rootkit

At the time of the rootkit’s discovery, Kaspersky Lab called the sample they examined "outstanding".

“It's an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario,” said Kaspersky’s Marta Janus at the time.

As it turns out, there was more to the story. A blog post published by researchers from Web security firm Sucuri on Wednesday, described the discovery of a backdoored version of the SSH daemon on compromised servers used during the rootkit attacks.

“Another part of the compromise that we haven’t seen mentioned anywhere else is how the attackers keep access to the owned servers. We have noticed that they are modifying all SSH binaries and inserted a version that gives them full access back to the server,” the blog post explains. 

They’re still examining the compromised SSH binaries, but Securi is certain that each time someone logged in to the server, the attackers used their newly hijacked daemon access to record the login details. Even if the rootkit was discovered and removed, or the passwords changed, the compromised SSH access means that attackers could keep control of the server.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.