Ebury

Ebury is a Linux backdoor Trojan that exploits the OpenSSH software suite by deploying a patch that affects the behavior and configuration of OpenSSH executables. This is not an uncommon strategy, and plenty of backdoors have applied such changes in the past, but the Ebury backdoor is one of the few Trojans that do that on a Linux operating system. The ultimate goal of Ebury is to plant its modules on the compromised host and then use it to exfiltrate sensitive login credentials and other data to the command server of the attackers. If an anti-virus tool identifies the Ebury Trojan on one of your computers, it is strongly recommended to let it take care of the issue, and then perform a clean installation of the OpenSSH software. Furthermore, all passwords used on this device should be changed immediately, as they are likely to be stored on the database of the attackers.

Ebury uses various methods to exfiltrate passwords and usernames from the compromised system, and some of its tricks are very surprising. For example, Ebury will log even failed login attempts, and the login credentials used will still be sent to the server of the attackers – however, they will be marked so that they will be identified as unsuccessful easily. In addition to this, Ebury collects passphrases, private keys and OpenSSH keys.

Although credential-collection is Ebury's primary purpose, the backdoor also can receive remote commands that allow the attacker to view the Ebury version information, as well as transmit all passwords, keys and passphrases.

The authors of the Ebury have improvised and came up with a unique way to modify the behavior of OpenSSH without finding an actual vulnerability in the software suite. Thanks to the passwords collected during their attacks, they are able to infect other systems that were somehow connected to a host that was compromised already.