OpenSSH, a suite of networking software that allows secure communications over an unsecured network, is the most common tool for system administrators to manage rented Linux servers. And given that over one-third of public-facing internet servers run Linux, it shouldn’t come as a surprise that threat actors would exploit OpenSSH’s popularity to gain control of them.
Nearly five years ago, ESET researchers helped to disrupt a 25 thousand-strong botnet of Linux machines that were saddled with an OpenSSH-based backdoor and credential stealer named Ebury. The attackers wielding it first performed a check if other SSH backdoors are present at the targeted system before deploying the malware.
This spurred the researchers to search for and analyze these type of (server-side OpenSSH) backdoors.
They found that there is a wide spectrum of complexity in backdoor implementation, starting from off-the-shelf malware to obfuscated samples and network protocols, but that all of them are the result of modifying and recompiling the original portable OpenSSH source used on Linux.
Also, that there are multiple code bases for the various backdoors, but that most of them share similar basic features (e.g., hardcoded credentials to activate a backdoor mode, credential stealing).
All of the collected samples copy the stolen credentials to a local file, even though attackers then must log back onto the compromised machine to retrieve the file. But some of the malware families are also capable of pushing the credentials on the network.