Backdoor:Linux/Ebury.A is a backdoor trojan that allows unauthorized access and control of an affected computer. The backdoor has been distributed as a modified version of OpenSSH - an open source alternative to proprietary Secure Shell Software (SSH).
The backdoor OpenSSH version was discovered in a Debian environment, distributed in a 32-bit and 64-bit ELF (executable) binary format. This specifically affects Unix environments.
Installation
Backdoor:Linux/Ebury.A is a trojanized version of OpenSSH, which may be found on a binary directory of a Unix-based computer, as one of the following files:
- /usr/bin/ssh
- /usr/sbin/sshd
- /usr/bin/ssh-add
When executed, it functions just like any clean and legitimate OpenSSH binary.
The backdoor is configured to allow the remote attacker to log in to the affected user's computer. The communication and remote connection is protected, which ensures that the attacker has sole use of this backdoor for virtually any purpose.
Payload
Contacts remote hosts
Backdoor:Linux/Ebury.A uses User Datagram Protocol (UDP) to send and receive DNS request messages, via port 53, to the following remote hosts:
- 9w7vcuctes.info
- 6gascrcqep.net
- eo7ncmclek.biz
- eoencmclek.net
These domain names have been observed being hosted behind a fast-flux service network, where both the NS records (authoritative name server) and A records (host address) are dynamic or changing. This technique enables the remote attacker to evade identification, while it continues with its malicious activities.
Allows backdoor access and control
The backdoor checks the response messages from the DNS request and it continues until it reaches the remote attacker's server. It attempts to communicate with a remote server by sending requests with obfuscated strings constructed as subdomain of the affected host.
Below are some examples of DNS requests used by the backdoor:
- 614be8f16c0ef8fc6a5a.<IP address>
- 614be8f16c0eff9e06d.<IP address>
- 614be8f16c0eeef6674ce3.<IP address>
Once the remote attacker identifies the backdoor message, it may respond by activating the backdoor with a command. The backdoor uses a unique key to encode and decode command messages.
Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
- Download and execute arbitrary files
- Upload files
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
- Allow remote attackers login to affected computer
- Cover its tracks by removing traces from SSH logs
- Use SSH-add to add necessary keys to memory (this ensures that the remote connection will be authenticated without prompting for pass-phrase)
- Query backdoor information (for example, SSH version) to ensure login option without prompting for password
Analysis by Methusela Cebrian Ferrer
