Last November, SecurityWeek reported about the discovery of a rootkit on Linux that was injecting malicious iFrames into websites. The module, recognized by experts as a unique piece of malware, has been linked to the discovery of SSH implementations with backdoors.
Weeks after the rootkit was discovered, additional research linked the malicious Apache module to hijacked Web content. Although the Linux-based malware was designed to serve practically any type of content, researchers at ESET said it was pushing a variant of the Zbot (Zeus) family of banking Trojans. Making matters worse, the malware was being deployed within crime kits.
At the time of the rootkit’s discovery, Kaspersky Lab called the sample they examined “outstanding”.
“It’s an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server – and therefore working as a part of drive-by download scenario,” said Kaspersky’s Marta Janus at the time.
As it turns out, there was more to the story. A blog post published by researchers from Web security firm Sucuri on Wednesday, described the discovery of a backdoored version of the SSH daemon on compromised servers used during the rootkit attacks.
“Another part of the compromise that we haven’t seen mentioned anywhere else is how the attackers keep access to the owned servers. We have noticed that they are modifying all SSH binaries and inserted a version that gives them full access back to the server,” the blog post explains.
They’re still examining the compromised SSH binaries, but Securi is certain that each time someone logged in to the server, the attackers used their newly hijacked daemon access to record the login details. Even if the rootkit was discovered and removed, or the passwords changed, the compromised SSH access means that attackers could keep control of the server.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
