Nearly five years ago, ESET researchers helped to disrupt a 25 thousand-strong botnet of Linux machines that were saddled with an OpenSSH-based backdoor and credential stealer named Ebury. The attackers wielding it first performed a check if other SSH backdoors are present at the targeted system before deploying the malware.
This spurred the researchers to search for and analyze these type of (server-side OpenSSH) backdoors.
They found that there is a wide spectrum of complexity in backdoor implementation, starting from off-the-shelf malware to obfuscated samples and network protocols, but that all of them are the result of modifying and recompiling the original portable OpenSSH source used on Linux.
Also, that there are multiple code bases for the various backdoors, but that most of them share similar basic features (e.g., hardcoded credentials to activate a backdoor mode, credential stealing).
All of the collected samples copy the stolen credentials to a local file, even though attackers then must log back onto the compromised machine to retrieve the file. But some of the malware families are also capable of pushing the credentials on the network.
Read more: Help Net Security