System administrators are being strongly urged to check their web servers for several pieces of Linux malware including rootkit known as Ebury SSH as part of an operation that has infected as many as 25,000 web servers in the past two years.
Ebury SSH is being used as a key part of a large and sophisticated operation called “Windigo” outlined in detail by ESET (PDF). Windigo also includes tools HTTP backdoor Linux/Cdorked to redirect web traffic, and Perl/Calfbot, a Perl script used to send spam.
Windigo has been around since at least 2011, and has compromised a wide range of operating systems including Apple OS X, OpenBSD, FreeBSD, Microsoft Windows (through Cygwin) and Linux (including Linux on the ARM architecture).
According to German government research agency CERT-Bund, Ebury is a Secure Shell rootkit/backdoor trojan for Linux and Unix-style operating systems.
CERT-Bund notes that Ebury provides a backdoor that attackers can use to get a remote root shell on infected hosts. Ebury steals SSH login credentials from incoming and outgoing SSH connections. Systems infected with Ebury are compromised at the root-level and are best dealt with by re-installing the operating system rather than trying to clean it up.
Some antivirus products are capable of detecting Ebury, usually as ‘SSHDoor’ or ‘Sshdkit’. However, ClamAV or tools like chkrootkit or rkhunter currently do not detect Ebury.
ESET notes that victims of Windigo may be Windows end-users visiting legitimate websites hosted on compromised servers, and Linux/Unix server operators whose servers were compromised. Windigo is also responsible for sending an average of 35 million spam messages per day, and more than 700 web servers are currently redirecting visitors to malicious content.