The Ebury botnet, notorious for its persistence despite law enforcement actions, remains a formidable threat to Linux servers, according to recent findings from cybersecurity company ESET. Discovered 15 years ago, Ebury has compromised nearly 400,000 servers running Linux, FreeBSD, and OpenBSD, with over 100,000 still affected as of late 2023.
Ebury Botnet: A Detailed Examination
Ebury functions as an OpenSSH backdoor, aimed at stealing SSH keys and passwords. This malware creates a backdoor on infected servers, enabling the deployment of additional malicious modules, including:
- Cdorked: An HTTP backdoor for redirecting web traffic and altering DNS settings.
- Calfbot: A Perl script used for sending spam emails.
Historically, Ebury has been utilized for spam distribution, web traffic redirections, and credential theft. More recently, its operators have shifted towards credit card and cryptocurrency theft. They employ adversary-in-the-middle techniques to intercept SSH traffic from targets such as Bitcoin and Ethereum nodes, redirecting it to their controlled servers to steal credentials and cryptocurrency wallets.
Ebury’s Modus Operandi
The operators of Ebury exploit zero-day vulnerabilities in server administration software to scale their attacks, compromising numerous servers simultaneously. They also use known passwords and keys to infiltrate related systems, facilitating the widespread installation of Ebury across servers from compromised hosting providers. In one significant incident, 70,000 servers were compromised at a single hosting provider in 2023.
To maintain their foothold, the malware actively removes competing threats like the BigBadWolf banking Trojan from infected systems.
High-Profile Incidents
Ebury’s most infamous campaign occurred between 2009 and 2011, when it successfully breached Kernel.org, the site hosting the Linux kernel’s source code. During this period, half of Kernel.org’s developer SSH passwords were stolen.
Law Enforcement and Ebury
In 2014, ESET collaborated with Dutch police to investigate compromised servers in the Netherlands. This led to the arrest of Russian citizen Maxim Senak in 2015 at the Finland-Russia border. Senak was extradited to the US, where he pleaded guilty to fraud and computer hacking charges in 2017, receiving a 46-month prison sentence. Despite this, Ebury’s masterminds have continued their operations discreetly, avoiding dark web forums and maintaining a low profile.
Mitigation and Ongoing Threats
ESET’s recent report highlights ongoing challenges in detecting and removing Ebury malware. The latest version of Ebury includes advanced obfuscation techniques, a new domain-generation algorithm, and enhanced rootkit functionality. ESET has released tools to help system administrators identify and remediate Ebury infections. However, cleanup is complicated, as reusing compromised credentials can lead to reinfection.
Despite available multi-factor authentication tools for SSH servers, their complex deployment often leads system administrators to skip this extra security layer, leaving servers vulnerable. The persistence of Ebury underscores the need for greater visibility and robust security measures for Linux-based server threats.