Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

SSH Backdoor Linked to Linux Rootkits

Last November, SecurityWeek reported about the discovery of a rootkit on Linux that was injecting malicious iFrames into websites. The module, recognized by experts as a unique piece of malware, has been linked to the discovery of SSH implementations with backdoors.

Last November, SecurityWeek reported about the discovery of a rootkit on Linux that was injecting malicious iFrames into websites. The module, recognized by experts as a unique piece of malware, has been linked to the discovery of SSH implementations with backdoors.

Weeks after the rootkit was discovered, additional research linked the malicious Apache module to hijacked Web content. Although the Linux-based malware was designed to serve practically any type of content, researchers at ESET said it was pushing a variant of the Zbot (Zeus) family of banking Trojans. Making matters worse, the malware was being deployed within crime kits.

Linux Rootkit

At the time of the rootkit’s discovery, Kaspersky Lab called the sample they examined “outstanding”.

“It’s an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server – and therefore working as a part of drive-by download scenario,” said Kaspersky’s Marta Janus at the time.

As it turns out, there was more to the story. A blog post published by researchers from Web security firm Sucuri on Wednesday, described the discovery of a backdoored version of the SSH daemon on compromised servers used during the rootkit attacks.

“Another part of the compromise that we haven’t seen mentioned anywhere else is how the attackers keep access to the owned servers. We have noticed that they are modifying all SSH binaries and inserted a version that gives them full access back to the server,” the blog post explains. 

They’re still examining the compromised SSH binaries, but Securi is certain that each time someone logged in to the server, the attackers used their newly hijacked daemon access to record the login details. Even if the rootkit was discovered and removed, or the passwords changed, the compromised SSH access means that attackers could keep control of the server.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...