A little more than three years ago we started hunting for OpenSSH backdoors being used in-the-wild.
While we are always trying to improve defenses against Linux malware by discovering and analyzing examples, the scope of this hunt was specifically to catch server-side OpenSSH backdoors.
Unfortunately, telemetry on Linux malware is not as readily available as it is on other platforms. Nonetheless, malicious OpenSSH binaries are quite common and have features that help us detect them among legitimate OpenSSH binaries.
While, as soon as we got them, we used the samples collected to improve our detection, we only began sorting and analyzing them in 2018. Surprisingly, we discovered many new backdoor families that had never been documented before.
We tried to gather as much information about each family we uncovered — for example, leaking the credentials, for honeypots we monitor, to the attackers.
This paper is the result of this research and contains indicators of compromise that could help identify compromised servers.
To read it, please enter your details in the form.