Jean-Ian Boutin
Ebury: Public-private partnership unveils the full scale of a sophisticated Linux threat
We present a joint investigation with European law enforcement into Ebury – a large-scale Linux server threat. We discovered new tools and capabilities, insights into deployment and uncovered compromises of multiple security-savvy organizations – including kernel.org.
Ebury’s OpenSSH backdoor is the core of a cluster of server-side threats, initially used for web redirections, Windows malware delivery, and spamming as first described in our 2014 Operation Windigo paper. After the 2015 arrest and extradition of one perpetrator, monetization temporarily reduced, but not all the botnet’s activities. Update deployment continued to tens of thousands of servers annually, reaching nearly 400,000 servers since 2009.
Our customized honeypots combined with LE partnership now give us unique visibility into perpetrator activities, which expanded to include cryptocurrency and credit card theft. This provided better understanding of how Ebury propagated by stealing credentials and compromising hosting provider infrastructure, deploying malware on all customer-rented servers, sometimes resulting in thousands of servers compromised, hosting millions of domains. We discovered further tools in the operators’ arsenal, supporting their monetization efforts – Apache modules exfiltrating HTTP requests or proxying traffic, Linux kernel modules performing redirections, and modified Netfilter tools injecting firewall rules.
We also explore the wily userland rootkit added to Ebury, significantly complicating its detection, and how Ebury’s decades-long large-scale operations, and its ability to compromise even the most knowledgeable Linux users, highlight multiple gaps in the state of Linux security, and propose steps forward.
Jean-Ian is the Director of the Threat Research department at ESET where he investigates trends in malware, reverse-engineers binaries and finds effective techniques to counter new threats. He has presented at prominent security conferences, including RSA, Black Hat, REcon, BlueHat, Virus Bulletin, and ZeroNights.
