Home / malwarePDF  

Backdoor:Linux/Ebury.A


First posted on 21 March 2012.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Linux/Ebury.A.

Explanation :

Backdoor:Linux/Ebury.A is a backdoor trojan that allows unauthorized access and control of an affected computer. The backdoor has been distributed as a modified version of OpenSSH - an open source alternative to proprietary Secure Shell Software (SSH).


Top

Backdoor:Linux/Ebury.A is a backdoor trojan that allows unauthorized access and control of an affected computer. The backdoor has been distributed as a modified version of OpenSSH - an open source alternative to proprietary Secure Shell Software (SSH).

The backdoor OpenSSH version was discovered in a Debian environment, distributed in a 32-bit and 64-bit ELF (executable) binary format. This specifically affects Unix environments.



Installation

Backdoor:Linux/Ebury.A is a trojanized version of OpenSSH, which may be found on a binary directory of a Unix-based computer, as one of the following files:

  • /usr/bin/ssh
  • /usr/sbin/sshd
  • /usr/bin/ssh-add


When executed, it functions just like any clean and legitimate OpenSSH binary.

The backdoor is configured to allow the remote attacker to log in to the affected user's computer. The communication and remote connection is protected, which ensures that the attacker has sole use of this backdoor for virtually any purpose.



Payload

Contacts remote hosts

Backdoor:Linux/Ebury.A uses User Datagram Protocol (UDP) to send and receive DNS request messages, via port 53, to the following remote hosts:

  • 9w7vcuctes.info
  • 6gascrcqep.net
  • eo7ncmclek.biz
  • eoencmclek.net


These domain names have been observed being hosted behind a fast-flux service network, where both the NS records (authoritative name server) and A records (host address) are dynamic or changing. This technique enables the remote attacker to evade identification, while it continues with its malicious activities.

Allows backdoor access and control

The backdoor checks the response messages from the DNS request and it continues until it reaches the remote attacker's server. It attempts to communicate with a remote server by sending requests with obfuscated strings constructed as subdomain of the affected host.

Below are some examples of DNS requests used by the backdoor:

  • 614be8f16c0ef8fc6a5a.<IP address>
  • 614be8f16c0eff9e06d.<IP address>
  • 614be8f16c0eeef6674ce3.<IP address>


Once the remote attacker identifies the backdoor message, it may respond by activating the backdoor with a command. The backdoor uses a unique key to encode and decode command messages.

Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:

  • Download and execute arbitrary files
  • Upload files
  • Log keystrokes or steal sensitive data
  • Modify system settings
  • Run or terminate applications
  • Delete files
  • Allow remote attackers login to affected computer
  • Cover its tracks by removing traces from SSH logs
  • Use SSH-add to add necessary keys to memory (this ensures that the remote connection will be authenticated without prompting for pass-phrase)
  • Query backdoor information (for example, SSH version) to ensure login option without prompting for password




Analysis by Methusela Cebrian Ferrer

Last update 21 March 2012

 

TOP