December 5, 2018 – ESET, a global leader in cybersecurity, has announced its latest discovery of 12 previously undetected Linux malware families based on OpenSSH, documented in their latest research paper “The Dark Side of the ForSSHe”. These powerful tools give attackers full control over Linux server’s operations and are widely used both by crimeware and APT groups. OpenSSH is the most common tool for system administrators to manage virtual, cloud or dedicated rented Linux servers and, as 37% of public-facing internet servers run Linux, OpenSSH is often a point of attack by threat actors aiming at fully controlling the targeted servers.
The research, which involved deploying custom honeypots, classifying of samples and analyzing different malware families, provides an overview of the current state of the OpenSSH backdoor landscape. By analyzing the samples, ESET researchers revealed several interesting tricks; one malware family has multiple ways of communicating with its C&C server, implementing HTTP, raw TCP and DNS. Other malware families were able to receive commands through the SSH password or include cryptocurrency mining features.
Marc-Etienne Léveillé, Senior Malware Researcher at ESET who led the study, commented on the significance of such threats: “Sometimes, I still hear the old adage that Linux is more secure than other operating systems and somehow immune to malware. But the threats they are facing are no less serious and we dedicate resources to research them and improve the protection against them.“
ESET’s latest research follows insights gleaned from its Windigo investigation in 2013, where ESET researchers discovered a complex botnet of Linux machines, named Operation Windigo, and assisted with disrupting the 25 thousand-strong botnet. The key component of Windigo was an OpenSSH-based backdoor named Ebury ESET researchers noted that the malicious actors performed a check if other SSH backdoors are present at the targeted system before its deployment. As most backdoors were unknown at the time, ESET decided to start hunting for them and this latest research is the result of this successful pursuit.
In order to protect systems and safeguard data, ESET recommends businesses carry out the following:
• Keep systems up-to-date
• Favour key-based authentication for SSH
• Disable remote root login
• Use a multi-factor authentication solution for SSH
Concluding on the significance of the study, Léveillé further commented: “Hopefully, these discoveries will enable significant improvements in the prevention, detection and remediation of future OpenSSH based attacks on Linux servers. Compromised servers are a cybersecurity nightmare but by working together, system administrators and malware researchers can help each other in the fight against server-side malware.”