Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

SSH Backdoor Linked to Linux Rootkits

Last November, SecurityWeek reported about the discovery of a rootkit on Linux that was injecting malicious iFrames into websites. The module, recognized by experts as a unique piece of malware, has been linked to the discovery of SSH implementations with backdoors.

Last November, SecurityWeek reported about the discovery of a rootkit on Linux that was injecting malicious iFrames into websites. The module, recognized by experts as a unique piece of malware, has been linked to the discovery of SSH implementations with backdoors.

Weeks after the rootkit was discovered, additional research linked the malicious Apache module to hijacked Web content. Although the Linux-based malware was designed to serve practically any type of content, researchers at ESET said it was pushing a variant of the Zbot (Zeus) family of banking Trojans. Making matters worse, the malware was being deployed within crime kits.

Linux Rootkit

At the time of the rootkit’s discovery, Kaspersky Lab called the sample they examined “outstanding”.

“It’s an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server – and therefore working as a part of drive-by download scenario,” said Kaspersky’s Marta Janus at the time.

As it turns out, there was more to the story. A blog post published by researchers from Web security firm Sucuri on Wednesday, described the discovery of a backdoored version of the SSH daemon on compromised servers used during the rootkit attacks.

“Another part of the compromise that we haven’t seen mentioned anywhere else is how the attackers keep access to the owned servers. We have noticed that they are modifying all SSH binaries and inserted a version that gives them full access back to the server,” the blog post explains. 

They’re still examining the compromised SSH binaries, but Securi is certain that each time someone logged in to the server, the attackers used their newly hijacked daemon access to record the login details. Even if the rootkit was discovered and removed, or the passwords changed, the compromised SSH access means that attackers could keep control of the server.

Advertisement. Scroll to continue reading.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.