Source: Skorzewiak via Alamy Stock Photo

A Linux-based botnet is alive and well, powering cryptocurrency theft and financial scams years after the imprisonment of one the key perpetrators behind it.

The Ebury botnet – which was first discovered 15 years ago – has backdoored nearly 400,000 Linux, FreeBSD, and OpenBSD servers. More than 100,000 servers were still compromised as of late 2023, according to new research from cybersecurity vendor ESET.

Victims include universities, small and large enterprises, Internet service providers, cryptocurrency traders, Tor exit nodes, and many hosting providers worldwide.

Anatomy of a Threat

Ebury is an OpenSSH backdoor that's used to steal credentials like SSH keys and passwords. It creates a backdoor on the infected server that facilitates the deployment of secondary malware modules such as Cdorked, an HTTP backdoor used to redirect Web traffic and modify DNS settings, and Calfbot, a Perl script used to send spam emails.

Over the years, Ebury has served as a platform for spam distribution, Web traffic redirections, and credential-stealing, among other scams. Most recently, the gang running the botnet has pivoted to credit card and cryptocurrency theft, researchers found.

The attackers use adversary-in-the-middle tactics to intercept the SSH traffic of interesting targets – including Bitcoin and Ethereum nodes - within data centers, and then redirecting traffic to a server under their control. Once a would-be victim types their password into a cryptocurrency wallet hosted on the compromised server, Ebury automatically steals those wallets, according to ESET, which this week released updated research and a white paper on the Ebury botnet.

They also appear to be making attempts to muscle out potential credit card theft competitors. Case in point: Ebury malware attempts to detect and remove the BigBadWolf banking Trojan from compromised systems.

Ebury's operators employ zero-day vulnerabilities in the server administrator software to hack servers at scale and extract credentials from the victim servers, the researchers found. The attackers also use known passwords and keys to hack into related systems, which allow them to surreptitiously install Ebury on multiple servers rented from any compromised hosting providers.

At one hosting provider, total of 70,000 servers were compromised by Ebury in 2023, the researchers said.

"Whenever a hosting provider was compromised, it led to a vast number of compromised servers in the same data centers," wrote ESET researcher Marc-Etienne M. Léveillé, who has been investigating Ebury for more than a decade.

In perhaps one of Ebury's most infamous campaigns, from 2009 to 20011 it successfully hacked Kernel.org, which hosts the source code of the Linux kernel. Half of its Kernel.org's developer SSH passwords were stolen during that period.

Cops and Robbers

In 2014, ESET revealed that it had teamed up with Dutch police in an investigation of servers in the Netherlands suspected of being compromised with Ebury malware. Then in 2015, one of the Ebury perpetrators, Russian citizen Maxim Senak, was arrested at the Finland-Russia border and extradited to the US. He eventually pled guilty to fraud and computer hacking charges in 2017 and was sentenced to 46 months in prison.  

Since then, Ebury's remaining masterminds have kept a low profile. They don't advertise their activities and "we've never seen them attempting to sell access" to compromised systems on Dark Net forums, ESET's Léveillé wrote in his post.

The Dutch National High Tech Crime Unit (NHTCU) in 2021 contacted ESET after finding Ebury on the server of a victim of cryptocurrency theft. That law enforcement investigation into Ebury remains ongoing.

Keeping Linux Safe from Ebury

Ebury malware operators regularly add new features. The latest version 1.8.2, spotted earlier this year, bundles new obfuscation techniques, a new domain-generation algorithm, and a stealthier rootkit functionality.

ESET this week released a set of detection and remediation tools to help system administrators determine whether their systems are compromised by Ebury.

Clean-up operations are non-trivial for an Ebury infection, ESET warns. Robert Lipovsky, principal threat intelligence researcher at ESET, told Dark Reading that even if system admins sanitize their infected servers, the cybercriminals behind Ebury might be able to reinstall the malware if compromised credentials get reused.

While there are tools available for adding multi-factor authentication to SSH servers, deployment is not simple, so systems admins often skip that extra level of security. "The continuing problems posed by Ebury illustrate the lack of visibility on Linux-based server-side threats," ESET's Léveillé told Dark Reading.