Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

SSH Backdoor Linked to Linux Rootkits

Last November, SecurityWeek reported about the discovery of a rootkit on Linux that was injecting malicious iFrames into websites. The module, recognized by experts as a unique piece of malware, has been linked to the discovery of SSH implementations with backdoors.

Last November, SecurityWeek reported about the discovery of a rootkit on Linux that was injecting malicious iFrames into websites. The module, recognized by experts as a unique piece of malware, has been linked to the discovery of SSH implementations with backdoors.

Weeks after the rootkit was discovered, additional research linked the malicious Apache module to hijacked Web content. Although the Linux-based malware was designed to serve practically any type of content, researchers at ESET said it was pushing a variant of the Zbot (Zeus) family of banking Trojans. Making matters worse, the malware was being deployed within crime kits.

Linux Rootkit

At the time of the rootkit’s discovery, Kaspersky Lab called the sample they examined “outstanding”.

“It’s an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server – and therefore working as a part of drive-by download scenario,” said Kaspersky’s Marta Janus at the time.

As it turns out, there was more to the story. A blog post published by researchers from Web security firm Sucuri on Wednesday, described the discovery of a backdoored version of the SSH daemon on compromised servers used during the rootkit attacks.

“Another part of the compromise that we haven’t seen mentioned anywhere else is how the attackers keep access to the owned servers. We have noticed that they are modifying all SSH binaries and inserted a version that gives them full access back to the server,” the blog post explains. 

They’re still examining the compromised SSH binaries, but Securi is certain that each time someone logged in to the server, the attackers used their newly hijacked daemon access to record the login details. Even if the rootkit was discovered and removed, or the passwords changed, the compromised SSH access means that attackers could keep control of the server.

Advertisement. Scroll to continue reading.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...