CINXE.COM

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="canonical" href="https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/"><title>An In-depth Analysis of Linux/Ebury</title><meta content="article" property="og:type"><meta content="An In-depth Analysis of Linux/Ebury" property="og:title"><meta content="https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" property="og:url"><meta content="An In-depth Analysis of Linux/Ebury" property="og:description"><meta name="robots" content="index, follow, max-image-preview:large, max-video-preview:-1"><meta name="description" content="In this blog post, we provide an in-depth analysis of Linux/Ebury - the most sophisticated Linux backdoor ever seen by our researchers. It is built to steal OpenSSH credentials and maintain access to a compromised server."><meta name="twitter:card" content="summary"><meta name="twitter:site" content="@welivesecurity"><meta name="twitter:description" content="In this blog post, we provide an in-depth analysis of Linux/Ebury - the most sophisticated Linux backdoor ever seen by our researchers. It is built to steal OpenSSH credentials and maintain access to a compromised server."><meta name="twitter:title" content="An In-depth Analysis of Linux/Ebury"><meta name="twitter:url" content="https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/">  <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-BookLF-405f3258.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-BoldLF-31f4bc72.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-DemiLF-8885b886.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://web-assets.esetstatic.com/tn/-x266/wls/2014/02/linux-ebury-eset.jpg" as="image" media="(max-width: 768px)"> <link rel="preload" href="https://web-assets.esetstatic.com/tn/-x425/wls/2014/02/linux-ebury-eset.jpg" as="image" media="(min-width: 768.1px)"> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/article-header-995fa639.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/article-header-995fa639.js"></script> <script> window.addEventListener('pageLoaded', () => { window.dispatchEvent(new CustomEvent('postPageViewed', { detail: { 'id': 11588, 'publicationId': 21059, 'name': 'An In-depth Analysis of Linux/Ebury', 'author': 'Marc-Etienne M.Léveillé', 'category': 'ESET Research', 'section': null, 'branch': 'en', 'date': '2014/02/21' } })); }); </script>  <script type="module"> window.addEventListener("pageLoaded", () => { (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-PMDGSM'); }); </script>  <script type="module"> window.dispatchEvent(new CustomEvent("pageLoaded")); </script>  <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/app-22f82615.css" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/app-22f82615.css" />  <script> window.$current_language = JSON.parse('{"id":1,"code":"en","name":"English","is_pblic":true,"is_active":true,"is_default":true,"is_rtl":false}'); </script> <script>(window.BOOMR_mq=window.BOOMR_mq||[]).push(["addVar",{"rua.upush":"false","rua.cpush":"false","rua.upre":"false","rua.cpre":"false","rua.uprl":"false","rua.cprl":"false","rua.cprf":"false","rua.trans":"","rua.cook":"false","rua.ims":"false","rua.ufprl":"false","rua.cfprl":"false","rua.isuxp":"false","rua.texp":"norulematch","rua.ceh":"false","rua.ueh":"false","rua.ieh.st":"0"}]);</script> <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="7R9SM-QGSYF-QDLJK-UETXR-SPM6B",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"7R9SM-QGSYF-QDLJK-UETXR-SPM6B";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="bdpnbeqxfxh2oz2prxla-f-176c978fd-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"39","ak.cp":"1251022","ak.ai":parseInt("757730",10),"ak.ol":"0","ak.cr":2,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"bdbb87b8","ak.r":49026,"ak.a2":n,"ak.m":"dscr","ak.n":"ff","ak.bpcip":"8.222.208.0","ak.cport":48810,"ak.gh":"23.45.206.167","ak.quicv":"","ak.tlsv":"tls1.2","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1733266902","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==acQS8TVF1TXBGHBFofVaZ4/Q+rNZtnfQ/YiJk/tAozvMheW0jYng8ulKzuzJ4t+fguppM/lYvPreYYlau6YdLcyQCxHLq/AMoz9tTUD8fOuY7HqhLrauAb+Ejuo5f3FVKkXhh7pu94t1H6nK8N5ikUuMStwodBhoekr2Tbbb969AVt4sdCR8t92gm3bNXGoQbUkU+60KbptI6w/594Nqe47oRsWAtX+YdeUD11Ic/5FIKGJcVNR87Y38sW5ohu1q08lXqKNKXVQHrTdK+vrgsY33zoS5ZPJt6UkC5cM9E9tjv/pozKM4JtMy3adwnFtJBHaFvCwkkTqiqfFC7Vb999ZPBtKtFmahuXak7za04f2+Kd3cZzpZDy8zaJMUZUKBT1EIL8Uj+D79S1cURu+SLWlQmdnxeYgWRkxLQ2M5ZfE=","ak.pv":"20","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head> <body>  <noscript> <iframe src=https://www.googletagmanager.com/ns.html?id=GTM-PMDGSM height="0" width="0" style="display:none;visibility:hidden"></iframe> </noscript>  <div id="app" >  <header id="wls-nav-header" class="wls-header navbar sticky-top navbar-expand-lg has-shadow"> <div class="container first-line"> <a class="header-brand" href="/en/" title="WeLiveSecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> <p> Award-winning news, views, and insight from the ESET security community </p> <div class="ms-auto"> <div class="language-picker dropdown"><div class="language-picker-wrapper"><button class="btn dropdown-toggle" type="button" data-bs-toggle="dropdown"aria-expanded="false">English</button><ul class="dropdown-menu dropdown-menu-center"><a class="dropdown-item" href="/es/" title="Español">Español</a><a class="dropdown-item" href="/de/" title="Deutsch">Deutsch</a><a class="dropdown-item" href="/pt/" title="Português">Português</a><a class="dropdown-item" href="/fr/" title="Français">Français</a></ul></div></div> </div> </div> <div class="second-line"> <div class="container"> <div class="navbar-header"> <a class="header-brand" href="/en/" title="WeLiveSecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> <div class="me-2"> <button class=" navbar-toggler button-hamburger collapsed d-flex d-lg-none flex-column justify-content-around" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNavDropdown" aria-controls="navbarNavDropdown" aria-expanded="false" aria-label="This is toggle button"><span class="toggler-icon top-bar"></span><span class="toggler-icon middle-bar"></span><span class="toggler-icon bottom-bar"></span></button> </div> </div> <nav id="navbarNavDropdown" class="collapse navbar-collapse page-navbar"><ul class="navbar-nav"><li class="nav-item d-lg-none"><div class="search-bar-input"><search-bar-component placeholder="Search WeLiveSecurity"class="search-bar-component-wrapper"></search-bar-component></div></li><li class="nav-item"><a class="nav-link" href="/en/tips-advice/" title="TIPS & ADVICE"><span class="">TIPS & ADVICE</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item"><a class="nav-link" href="/en/business-security/" title="BUSINESS SECURITY"><span class="">BUSINESS SECURITY</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="ESET RESEARCH" role="button" data-bs-toggle="dropdown"aria-expanded="false">ESET RESEARCH</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/about-eset-research/" title="About ESET Research"><span class="">About ESET Research</span></a><a class="dropdown-item" href="/en/eset-research/" title="Blogposts"><span class="">Blogposts</span></a><a class="dropdown-item" href="/en/podcasts/" title="Podcasts"><span class="">Podcasts</span></a><a class="dropdown-item" href="/en/white-papers/" title="White papers"><span class="">White papers</span></a><a class="dropdown-item" href="/en/threat-reports/" title="Threat reports"><span class="">Threat reports</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item"><a class="nav-link" href="/en/we-live-science/" title="WeLiveScience"><span class="button-link">WeLiveScience</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="FEATURED" role="button" data-bs-toggle="dropdown"aria-expanded="false">FEATURED</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/ukraine-crisis-digital-security-resource-center/" title="Ukraine crisis – Digital security resource center"><span class="">Ukraine crisis – Digital security resource center</span></a><a class="dropdown-item" href="/en/we-live-progress/" title="WeLiveProgress"><span class="">WeLiveProgress</span></a><a class="dropdown-item" href="/en/covid-19/" title="COVID-19"><span class="">COVID-19</span></a><a class="dropdown-item" href="/en/resources/" title="Resources"><span class="">Resources</span></a><a class="dropdown-item" href="/en/videos/" title="Videos"><span class="">Videos</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="TOPICS" role="button" data-bs-toggle="dropdown"aria-expanded="false">TOPICS</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/cybersecurity/" title="Digital Security"><span class="">Digital Security</span></a><a class="dropdown-item" href="/en/scams/" title="Scams"><span class="">Scams</span></a><a class="dropdown-item" href="/en/how-to/" title="How to"><span class="">How to</span></a><a class="dropdown-item" href="/en/privacy/" title="Privacy"><span class="">Privacy</span></a><a class="dropdown-item" href="/en/cybercrime/" title="Cybercrime"><span class="">Cybercrime</span></a><a class="dropdown-item" href="/en/kids-online/" title="Kids online"><span class="">Kids online</span></a><a class="dropdown-item" href="/en/social-media/" title="Social media"><span class="">Social media</span></a><a class="dropdown-item" href="/en/internet-of-things/" title="Internet of Things"><span class="">Internet of Things</span></a><a class="dropdown-item" href="/en/malware/" title="Malware"><span class="">Malware</span></a><a class="dropdown-item" href="/en/ransomware/" title="Ransomware"><span class="">Ransomware</span></a><a class="dropdown-item" href="/en/secure-coding/" title="Secure coding"><span class="">Secure coding</span></a><a class="dropdown-item" href="/en/mobile-security/" title="Mobile security"><span class="">Mobile security</span></a><a class="dropdown-item" href="/en/critical-infrastructure/" title="Critical infrastructure"><span class="">Critical infrastructure</span></a><a class="dropdown-item" href="/en/about-eset-research/" title="Threat research"><span class="">Threat research</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="ABOUT US" role="button" data-bs-toggle="dropdown"aria-expanded="false">ABOUT US</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/company/about-us/" title="About WeLiveSecurity"><span class="">About WeLiveSecurity</span></a><a class="dropdown-item" href="/en/our-experts/" title="Our Experts"><span class="">Our Experts</span></a><a class="dropdown-item" href="/en/company/contact-us/" title="Contact Us"><span class="">Contact Us</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown d-lg-none"><a class="nav-link dropdown-toggle languages" href="/en/" title="English" role="button"data-bs-toggle="dropdown" aria-expanded="false">English</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/es/" title="Español">Español</a><a class="dropdown-item" href="/de/" title="Deutsch">Deutsch</a><a class="dropdown-item" href="/pt/" title="Português">Português</a><a class="dropdown-item" href="/fr/" title="Français">Français</a></div></div></li><li class="nav-item ms-auto d-none d-lg-block"><button class="nav-link ms-auto search-button-close" type="button" data-bs-toggle="collapse"data-bs-target=".search-bar-wrapper" aria-expanded="false"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.9485 19.9001" fill="#424D56"><path d="m19.5429,17.9473l-4.86-4.852c2.7034-3.5802,1.9927-8.674-1.5874-11.3774C9.5153-.9856,4.4214-.2749,1.718,3.3053-.9854,6.8854-.2747,11.9793,3.3055,14.6827c1.4094,1.0643,3.1273,1.6402,4.8934,1.6406,1.7749.0083,3.5023-.5739,4.91-1.655l4.883,4.829c.207.2113.4912.329.787.326.2948-.0022.5771-.1191.787-.326.4163-.4365.406-1.126-.023-1.55Zm-11.316-3.821c-3.2811-.0017-5.9396-2.663-5.9378-5.9442.0017-3.2811,2.663-5.9396,5.9442-5.9378,1.5726.0008,3.0806.6251,4.1937,1.736,1.1259,1.1056,1.7528,2.6221,1.736,4.2-.0007,1.5744-.6249,3.0845-1.736,4.2-1.1067,1.1254-2.6216,1.7552-4.2,1.746Z" /></svg></button></li></ul><div class="search-bar"><div class="collapse search-bar-wrapper"><div class="search-bar-input"><search-bar-component placeholder="Search WeLiveSecurity"class="search-bar-component-wrapper"></search-bar-component><button class="nav-link search-button-close" type="button" data-bs-toggle="collapse"data-bs-target=".search-bar-wrapper" aria-expanded="false"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 18.1065 18.0626"><polygon points="10.6883 9.0363 17.4683 15.8163 15.8383 17.4463 9.0583 10.6663 2.2683 17.4463 .6383 15.8163 7.4283 9.0363 .6383 2.2463 2.2683 .6163 9.0583 7.4063 15.8383 .6163 17.4683 2.2463 10.6883 9.0363" /></svg></button></div></div></div></nav> </div> </div> <div class="additional-info d-none"> <div class="container"> <p> Award-winning news, views, and insight from the ESET security community </p> </div> </div> </header>  <div id="main"> <div class="container article-page py-5"> <div class="row"> <div class="col col-lg-8 pe-lg-0"> <div class="article-header"> <p class="category text-uppercase">ESET Research</p> <h1 class="page-headline">An In-depth Analysis of Linux/Ebury</h1> <p class="sub-title">In this blog post, we provide an in-depth analysis of Linux/Ebury - the most sophisticated Linux backdoor ever seen by our researchers. It is built to steal OpenSSH credentials and maintain access to a compromised server.</p> <div class="article-authors d-flex flex-wrap"><div class="article-author d-flex"><a href="/en/our-experts/marc-etienne-m-leveille/" title="Marc-Etienne M.Léveillé"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x45/wls/2013/06/Marc-Etienne-M.Leveille.png" media="(max-width: 768px)" /><img class="author-image me-3" src="https://web-assets.esetstatic.com/tn/-x45/wls/2013/06/Marc-Etienne-M.Leveille.png" alt="Marc-Etienne M.Léveillé" /></picture></a><div class="author-text"><p><a href="/en/our-experts/marc-etienne-m-leveille/" title="Marc-Etienne M.Léveillé"><b>Marc-Etienne M.Léveillé</b></a></p></div></div></div> <p class="article-info mb-5"> <span>21 Feb 2014</span> <span class="d-none d-lg-inline"> • </span> <span class="d-inline d-lg-none">, </span> <span>15 min. read</span> </p> <div class="hero-image-container"> <picture><source srcset="https://web-assets.esetstatic.com/tn/-x266/wls/2014/02/linux-ebury-eset.jpg" media="(max-width: 768px)" /><source srcset="https://web-assets.esetstatic.com/tn/-x425/wls/2014/02/linux-ebury-eset.jpg" media="(max-width: 1120px)" /><img class="hero-image" src="https://web-assets.esetstatic.com/tn/-x700/wls/2014/02/linux-ebury-eset.jpg" alt="An In-depth Analysis of Linux/Ebury" /></picture> </div> </div> <div class="article-body"> <p id="docs-internal-guid-1754022e-5515-be3f-4617-0db2ffd0cce3" dir="ltr">ESET has been analyzing and tracking an <a href="http://openssh.org/">OpenSSH</a> backdoor and credential stealer named Linux/Ebury. The result of this work on the Linux/Ebury malware family is part of a joint research effort with <a href="https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/Cert-Bund/cert-bund_node.html">CERT‑Bund</a>, the <a href="http://www.snic.vr.se/">Swedish National Infrastructure for Computing</a>, the <a href="http://home.web.cern.ch/about">European Organization for Nuclear Research</a> (CERN) and other organizations forming an international Working Group.</p> <p dir="ltr">In this blog post, we provide an in-depth analysis of Linux/Ebury. It is a sophisticated backdoor used to steal OpenSSH credentials and maintain access to a compromised server. According to <a href="http://plog.sesse.net/blog/tech/2011-11-15-21-44_ebury_a_new_ssh_trojan.html">previous reports</a>, this backdoor has been in the wild for at least two years. Linux/Ebury comes in two different shapes: a malicious library and a patch to the main OpenSSH binaries.  The malicious library is a modified version of <tt>libkeyutils.so</tt>. This shared library is loaded by all OpenSSH executables files such as <tt>ssh</tt>, <tt>sshd</tt> and <tt>ssh-agent</tt>.  We will describe how the backdoor works and how the<tt> OpenSSH</tt> functionalities are hooked.  We will also show how passwords are captured and exfiltrated.  Finally, we will provide detailed information on how system administrators can identify infected systems.</p> <p dir="ltr">If a system is found to be infected with Linux/Ebury, we strongly recommend re-installing the operating system.  It is also very important to consider all credentials used to log into this machine as compromised.  All passwords and private OpenSSH keys should be changed</p> <h2 dir="ltr">Known variants</h2> <p dir="ltr">Linux/Ebury is noteworthy for multiple reasons.  Although this is something common under the Windows operating system, it is the first time we've seen a malicious library being used on <a href="http://www.opengroup.org/austin/">POSIX</a> systems.  Linux/Ebury also uses innovative tricks to hook functions, discover the address space of the <a href="https://en.wikipedia.org/wiki/Executable_and_Linkable_Format">ELF</a> executable that loaded the library and apply patches to its code at runtime. We believe that before using the external library to hook into<tt> OpenSSH</tt> processes, the author of Linux/Ebury used a patch to modify the source code of OpenSSH, thereby adding “new functionalities” to the software. The first variants found were modified binaries left on the disk. The three affected files are <tt>ssh</tt>, <tt>sshd</tt> and <tt>ssh-add</tt>. We have also seen usage of the <a href="http://en.wikipedia.org/wiki/RPM_Package_Manager">rpm</a> commands to remove signature from the original <tt>OpenSSH</tt> packages (<tt>openssh-server, openssh-clients</tt>) and modify the RPM database to update the file hashes with those of the malicious files. This will make the output of <tt>rpm --verify openssh-servers</tt> report the files as unmodified.  However, the output from <tt>rpm -qi openssh-servers</tt> will clearly show the package is missing its signatures.</p> <p dir="ltr">Later variants of Linux/Ebury do not modify the <tt>OpenSSH</tt> files directly. Instead, a shared library that is loaded by all OpenSSH executable files is modified to change the behaviour of the programs. The changes are the same as the patched OpenSSH variants, except that the some functions are hooked and patches to the original code are applied at run time. The shared library that is modified on the system is <tt>libkeyutils.so</tt>. Usually, this file is about 10KB in size. The malware adds approximately 20KB of additional malicious code, making the file weigh in at about 30KB in total.</p> <p dir="ltr">Here are two examples of how the backdoor is deployed. The first one shows a Linux/Ebury-infected file next to the clean <tt>libkeyutils.so</tt>. The symbolic link is modified to point the rogue version.</p> <p dir="ltr"><img style="display: block; margin-left: auto; margin-right: auto;" title="" src="https://web-assets.esetstatic.com/wls/2014/02/image01.png" alt="image01" width="" height="" /></p> <p dir="ltr" style="text-align: left;">The second screenshot shows the<tt> libkeyutils.so</tt> is replaced with Linux/Ebury’s version.</p> <p dir="ltr" style="text-align: left;"><img style="display: block; margin-left: auto; margin-right: auto;" title="" src="https://web-assets.esetstatic.com/wls/2014/02/image02.png" alt="image02" width="" height="" /></p> <p dir="ltr">Although placing malicious code inside libraries has already been seen before, this is the first time we have observed this technique being used on the Linux operating system to modify the behaviour of <tt>OpenSSH</tt>.</p> <p dir="ltr">To enable the different features of the malware, a <a href="http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html#index-g_t_0040code_007bconstructor_007d-function-attribute-2825">constructor function</a> was added in the<tt> libkeyutils.so</tt>. This function is called when the library is loaded. This function detects which binary it was loaded from, applies patches to the original code, and hooks functions from the original import table.</p> <p dir="ltr">In the most recent variants of Linux/Ebury, strings are obfuscated with a simple <tt>XOR</tt> encryption with a static key. After unpacking, the malware loads various functions it requires using multiple calls to the <tt>dlsym</tt> function. Linux/Ebury then discovers the original executable address space by calling <tt>dlopen</tt>(<tt>NULL, RTLD_NOW</tt>) and passing the returned handle to <tt>dlinfo(handle, RTLD_DI_LINKMAP,</tt> ...). This will work even if <a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization">ASLR</a> is enabled on a system. This behaviour gives Linux/Ebury the ability to walk the import table of an ELF executable and replace the original imported function address in memory. The result is that when the programs<tt>ssh</tt>, <tt>sshd</tt> or <tt>ssh-add</tt> call one of the hooked function, it will be redirected to the malicious libkeyutils.so implementation that can replace the original behaviour. The following code snippet shows the calls to dlopen and dlinfo to find the main program address space and walk the ELF header information:</p> <p dir="ltr"><a href="https://web-assets.esetstatic.com/wls/2014/02/symbol_parsing.png"><img class="aligncenter" src="https://web-assets.esetstatic.com/wls/2014/02/symbol_parsing.png" alt="" width="550" /></a></p> <p id="docs-internal-guid-4991ef6b-551e-2dd1-c441-cd47c8ae00a4" dir="ltr">The logging functions are hooked so that whenever the backdoor is used, nothing gets sent to the logging facility, leaving no trace of the backdoor in the log files on disk. If the backdoor is not in use, logging will behave normally and function calls will get redirected to the original function implementation.</p> <p dir="ltr">The following functions are hooked when the malicious <tt>libkeyutils.so</tt> is loaded inside the <tt>sshd</tt> process.</p> <ul> <li dir="ltr"><tt>audit_log_user_message</tt></li> <li dir="ltr"><tt>audit_log_acct_message</tt></li> <li dir="ltr"><tt>hosts_access</tt></li> <li dir="ltr"><tt>connect</tt></li> <li dir="ltr"><tt>__syslog_chk</tt></li> <li dir="ltr"><tt>write</tt></li> <li dir="ltr"><tt>syslog</tt></li> <li dir="ltr"><tt>popen</tt></li> <li dir="ltr"><tt>hosts_access</tt></li> <li dir="ltr"><tt>crypt</tt></li> <li dir="ltr"><tt>pam_start</tt></li> </ul> <p dir="ltr">The other functions such as <tt>pam_start </tt>and <tt>crypt </tt>are used to get the password used by a user to authenticate. Interestingly, the <tt>pam_start</tt> hook will place an additional hook for <tt>pam_authenticate</tt> to grab the password. The function connect is hooked so that when the <tt>Xbnd</tt> (documented below) command is used, a call to bind is made with the socket before the real call to connect is made.</p> <h2 dir="ltr">Runtime code modification</h2> <p dir="ltr" style="text-align: left;">When hooking from the import table is not an option, Linux/Ebury will modify the code segment by patching specific sections of the program to redirect call instruction to its own implementation. The following figure shows an example where the ssh program calls its own function <tt>key_parse_private_pem</tt> and the execution flow is redirected to malicious code. The address is shown in red because it is in the <tt>libkeyutils</tt>.so address space, outside<tt> ssh</tt>’s. The hook will call the original implementation and log the private key in memory that will later be fetched by the operators.</p> <p dir="ltr" style="text-align: center;"><a href="https://web-assets.esetstatic.com/wls/2014/02/ssh_key_parse_clean.png"><img class="wp-image-40137" src="https://web-assets.esetstatic.com/wls/2014/02/ssh_key_parse_clean.png" alt="" width="300" /></a><a href="https://web-assets.esetstatic.com/wls/2014/02/ssh_key_parse_hooked.png"><img class="wp-image-40138" src="https://web-assets.esetstatic.com/wls/2014/02/ssh_key_parse_hooked.png" alt="" width="300" /></a></p> <p> </p> <p>Before attempting to modify the code segment, the program carefully sets a handler to intercept any segmentation fault it may cause. More specifically, the handler will be called if the process receives a <a href="https://www.gnu.org/software/libc/manual/html_node/Program-Error-Signals.html">SIGSEGV or SIGBUS</a> signal. In the case such signal is caught, Linux/Ebury will simply abort its task and let the <tt>OpenSSH</tt> do its legitimate behavior. The way to recover from a segmentation fault is interesting. Before doing something that could potentially crash the process, <a href="http://pubs.opengroup.org/onlinepubs/7908799/xsh/sigsetjmp.html">sigsetjmp </a>is called to create a snapshot of the current state. Then, if an access violation ever happens, <a href="http://pubs.opengroup.org/onlinepubs/7990989799/xsh/siglongjmp.html">siglongjmp</a> is used in the signal hander to restore to the previous state.</p> <p dir="ltr" style="text-align: left;">This code patching technique is limited because offsets of code to patch is hardcoded inside the libkeyutils.so trojan. Thus, its effectiveness is limited to the binary targeted by the variant. Typically each<tt> libkeyutils.so</tt> variant will work for 3 to 5 different OpenSSH builds from a specific Linux distribution.</p> <h2 dir="ltr">Functionalities</h2> <p dir="ltr">The backdoor is activated by sending specially-crafted data inside of the SSH client protocol version identification string. Here is what the SSH specification has to say about protocol version identification.</p> <p dir="ltr" style="padding-left: 30px;"><tt>After the socket is opened, the server sends an identification string, which is of the form "SSH-<protocolmajor>.<protocolminor>-<version>\n", where <protocolmajor> and <protocolminor> are integers and specify the protocol version number (not software distribution version).  <version> is server side software version string (max 40 characters); it is not interpreted by the remote side but may be useful for debugging.</tt></p> <p dir="ltr" style="text-align: right;">http://www.openssh.com/txt/ssh-rfc-v1.5.txt — T. Ylonen</p> <p dir="ltr">The <tt><version></tt> portion could be anything and should not be interpreted by the SSH server. In the case of a Linux/Ebury backdoor connection, the <tt><version></tt> contains a hexadecimal string of twenty-two (22) characters or more. It embeds an eleven (11) character password that is first encrypted with the client IP address and then encoded as a hexadecimal string; optionally a four (4) byte command may be encrypted and encoded as well after the password.</p> <p dir="ltr">Note that the protocol version identification is also sent before the encryption handshake is done, making it possible to flag potential intrusion detection from a network trace.</p> <p dir="ltr">An example <tt>SSH</tt> protocol version to start a root shell looks like this:</p> <p><code>SSH-2.0-fb54c28ba102cd73c1fe43</code></p> <p dir="ltr">Once the backdoor password is verified, the <tt>sshd</tt> process will allow any password to work during a password authentication. If <tt>PermitRootLogin</tt>, <tt>PasswordAuthentication</tt> or <tt>PermitEmptyPassword</tt> is disabled, it will enable them to make sure it works. It will also disable all logging of the successful session creation. It will be like nothing happened.In version 1.3.1 and newer, a SHA-1 sum of the password is kept in the binary instead of an eleven (11) character string (basic security practice by the Linux/Ebury’s authors). This makes guessing of the password impractical unless you have a packet capture of the operators logging in successfully. Furthermore, the password is different from one variant to another. This leads us to think the operators have a database of infected servers with corresponding backdoor passwords so they can activate each backdoor successfully.</p> <p dir="ltr" style="text-align: center;"><a href="https://web-assets.esetstatic.com/wls/2014/02/passwd_plain.png"><img class="wp-image-40139" src="https://web-assets.esetstatic.com/wls/2014/02/passwd_plain.png" alt="" width="300" height="379" /></a> <a href="https://web-assets.esetstatic.com/wls/2014/02/passwd_sha1.png"><img class="wp-image-40140" src="https://web-assets.esetstatic.com/wls/2014/02/passwd_sha1.png" alt="" width="300" height="320" /></a></p> <p id="docs-internal-guid-4991ef6b-5524-8d8d-1966-3ff486c22832" dir="ltr">The main purpose of the Linux/Ebury module is to steal credentials.  The stolen credentials are most likely used to infect more servers. There is no code in Linux/Ebury to propagate itself; the backdoor is probably spread manually by an attacker or installed through deployment scripts.</p> <h3 dir="ltr">Credential Stealing</h3> <p dir="ltr">Credentials are intercepted at multiple locations, when they are typed or used by the victim:</p> <ul> <li dir="ltr"> <p dir="ltr"><strong>Password from successful login to the infected server</strong>:  Whenever someone logs in a system infected with Linux/Ebury, the <tt>sshd</tt> daemon will save the password and send it to the exfiltration server.</p> </li> <li dir="ltr"> <p dir="ltr"><strong>Any password login attempt to the infected server</strong>: Even if the attempt is unsuccessful, the username and password used will be sent to the operators. They will be formatted differently, however, allowing the operators to differentiate these invalid credentials from the valid ones.</p> </li> <li dir="ltr"> <p dir="ltr"><strong>Password on successful login from the infected server</strong>: When someone uses the ssh client on an infected server, Linux/Ebury will intercept the password and sent it to its exfiltration server.</p> </li> <li dir="ltr"> <p dir="ltr"><strong>Private key passphrase</strong>: When the ssh client on an infected server prompts the user for an private key passphrase, the passphrase will be sent to the remote exfiltration server.</p> </li> <li dir="ltr"> <p dir="ltr"><strong>Unencrypted private key</strong>: When a private key is used to authenticate to a remote server, the unencrypted version is intercepted by the malware. Unlike passwords, it will not send the key to the exfiltration server. Instead, it will store it memory and wait for the operators to fetch the key with the Xcat command.</p> </li> <li dir="ltr"> <p dir="ltr"><strong>Private keys added to the OpenSSH agent with ssh-add</strong>: The keys added to an OpenSSH agent are also intercepted by the malware. Both the unencrypted key itself and the passphrase typed by the user will be logged.</p> </li> </ul> <p dir="ltr">Whatever the credential type, Linux/Ebury will add all relevant information for the operators to be able to use it, like the username, the target IP address and its OpenSSH listening port.</p> <h3 dir="ltr">Password exfiltration</h3> <p dir="ltr">When a password is intercepted by Linux/Ebury, the information is sent to a remote server via a crafted DNS request sent to a specific IP address. The malware creates a regular A record request that will be sent on UDP port 53. The domain name requested contains encrypted and hexadecimal-encoded data as well as an IP address.  The data has the following format:</p> <p dir="ltr"><tt><hexadecimal-encoded data>.<IP address></tt></p> <p dir="ltr">The <tt><hexadecimal-encoded data></tt> contains the credentials previously described. It is <tt>XOR</tt> encrypted with the 4-byte static key 0x000d5345 before being hexadecimal-encoded.</p> <p dir="ltr">The IP address included in the query depends on the type of stolen credentials. If the credentials are for the infected server itself, the client IP address is used. Otherwise, the remote IP address where the infected server is connecting to is used.</p> <p dir="ltr">We believe the malware authors chose to send packets that look like legitimate DNS requests over UDP port 53 to avoid being blocked by firewalls. It is very common to whitelist DNS requests in firewall configurations because blocking them could disrupt name resolution.</p> <p dir="ltr">There are 2 ways by which Linux/Ebury can choose a server where the DNS packets are sent. First, it can be set explicitly by the operator when sending an Xver command. The second method uses an algorithm to generate a domain name dynamically. This domain name will be queried for its A and TXT records. The TXT record will be used to verify that it is under the control of the operators using public key cryptography. Details about the domain generation algorithm and the verification processed will be published later.</p> <h3 dir="ltr">Extra commands</h3> <p dir="ltr">Three commands are available to the malicious actors to ease the management of the compromised server. A command is appended to the backdoor password before being encrypted. When the backdoor identifies a command, it interprets it instead of starting a shell.  Here is a list of commands that can be processed by the backdoor:</p> <ul> <li dir="ltr"> <p dir="ltr"><tt>Xcat</tt>: print all the passwords, passphrases, and keys saved in the shared memory and exit.</p> </li> <li dir="ltr"> <p dir="ltr"><tt>Xver</tt>: print the installed Linux/Ebury version and exit. Xver also accept an optional four (4) byte argument. If present, it will set the exfiltration server IP address to the given one.</p> </li> <li dir="ltr"> <p dir="ltr"><tt>Xbnd</tt>: <tt>Xbnd</tt> takes a four (4) byte argument. When creating a tunnel to a remote host, bind the client socket to the specified interface IP address.</p> </li> </ul> <h2 dir="ltr">Version tracking</h2> <p dir="ltr">The authors of Linux/Ebury have a good practice of leaving version number inside their binaries. This allows operators to know what version is installed on each system. It also helped researchers understand the chronology of events and sort samples more easily.</p> <p dir="ltr">For example, since version 1.3.2, Linux/Ebury will not send any information to a remote server if an interface is in promiscuous mode. An interface is set to promiscuous mode when software like tcpdump is capturing the traffic on a network interface. The authors probably added this feature in reaction to an article from <a href="http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CompSystem">cPanel</a> about Linux/Ebury that suggested running tcpdump to monitor DNS requests and notice exfiltration data as an indicator of compromise.</p> <h2 dir="ltr">Indicators of Compromise (IOCs)</h2> <p dir="ltr">We will provide two means of identifying the presence of the Linux/Ebury SSH backdoor. The easiest way to identify an infected server relies on the presence of a feature added by the malware to the ssh binary. A longer process involves inspection of the shared memory segments used by the malware.</p> <p dir="ltr">The command <tt>ssh -G</tt> has a different behaviour on a system with Linux/Ebury. A clean server will print</p> <p dir="ltr"><tt>ssh: illegal option -- G</tt></p> <p dir="ltr">to <tt>stderr</tt> but an infected server will only print the typical “usage” message. One can use the following command to determine if the server he is on is compromised:</p> <p dir="ltr"><tt>$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"</tt></p> <p dir="ltr">Linux/Ebury relies on POSIX shared memory segments (SHMs) for interprocess communications. The current version uses large segments of over 3 megabytes of memory with broad permissions allowing everyone to read and write to this segment.</p> <p>Other processes could legitimately create shared memory segments with broad permissions. Make sure to validate that <tt>sshd</tt> is the process that created the segment like we show below.</p> <p dir="ltr">One can identify large shared memory segment with broad permissions by running the following as root:</p> <pre class="language-bash" title=""><code># ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch 0x00000000 0 root 644 80 2 0x00000000 32769 root 644 16384 2 0x00000000 65538 root 644 280 2 0x000010e0 465272836 root 666 3282312 0</code></pre> <p>Then to look for the process that created the shared memory segment, use:</p> <pre class="language-bash" title=""><code># ipcs -m -p ------ Shared Memory Creator/Last-op PIDs -------- shmid owner cpid lpid 0 root 4162 4183 32769 root 4162 4183 65538 root 4162 4183 465272836 root 15029 17377</code></pre> <p dir="ltr">If the process matches sshd:</p> <pre class="language-bash" title=""><code># ps aux | grep <pid> root 11531 0.0 0.0 103284 828 pts/0 S+ 16:40 0:00 grep 15029 root 15029 0.0 0.0 66300 1204 ? Ss Jan26 0:00 /usr/sbin/sshd</code></pre> <p id="docs-internal-guid-4991ef6b-552f-5fff-8aad-c2052ae2d448" dir="ltr">An <tt>sshd</tt> process using shared memory segments larger than three (3) megabytes (3,145,728 bytes) and with broad permissions (666) is a strong indicator of compromise.</p> <h3 dir="ltr">Network-based indicators</h3> <p>We are providing simple <a href="http://snort.org" target="_blank" rel="noopener">snort</a> rules in order to easily pinpoint malicious activity in large networks. The Internet being a wild place these have greater chances of triggering false positives. Use wisely.</p> <p>This first rule matches against the SSH Client Protocol field that the backdoor uses to connect to a victim. Any external host trying to connect to the backdoor on properly identified SSH ports will trigger the alert.</p> <pre class="language-bash" title=""><code>alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"Linux/Ebury SSH backdoor activty"; content:"SSH-2.0"; isdataat:20,relative; pcre:"/^SSH-2\.0-[0-9a-f]{22,46}/sm"; reference:url,/2014/02/21/an-in-depth-analysis-of-linuxebury/; classtype:trojan-activity; sid:1000001; rev:1;)</code></pre> <p dir="ltr">The following Snort rule for detecting Linux/Ebury infected machines sending harvested credentials to a exfiltration server has been provided by <a href="https://www.cert-bund.de/ebury-faq" target="_blank" rel="noopener">CERT‑Bund</a>.</p> <pre class="language-bash" title=""><code>alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Linux/Ebury SSH backdoor data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,/2014/02/21/an-in-depth-analysis-of-linuxebury/; reference:url,https://www.cert-bund.de/ebury-faq; classtype:trojan-activity; sid:1000002; rev:1;)</code></pre> <h2 dir="ltr">Conclusion</h2> <p dir="ltr">The Linux/Ebury malware clearly is a complex threat with many interesting features such as code hooking, advanced POSIX exception handling and various ways of hiding itself on an infected system. Based on data we captured, we estimate that thousands of systems are currently infected with Linux/Ebury. We feel it is important to specify that we have not witnessed a weakness in the OpenSSH software itself. The Linux/Ebury trojan propagates using the stolen credentials collected by the operators. With the administrator’s credentials, there is no need for a “0-day” exploit, although how the operators bootstrapped the whole credential stealing operation is still a mystery.</p> <h2 dir="ltr">File Details</h2> <p dir="ltr">Trojanized<tt> libkeyutils.so</tt> file SHA-1 hashes.</p> <p><tt>09c8af3be4327c83d4a7124a678bbc81e12a1de4</tt> - Linux/Ebury - Version 1.3.2<br /><tt>2e571993e30742ee04500fbe4a40ee1b14fa64d7</tt> - Linux/Ebury - Version 1.3.4<br /><tt>39ec9e03edb25f1c316822605fe4df7a7b1ad94a</tt> - Linux/Ebury - Version 1.3.2<br /><tt>3c5ec2ab2c34ab57cba69bb2dee70c980f26b1bf</tt> - Linux/Ebury - Version 1.3.2<br /><tt>471ee431030332dd636b8af24a428556ee72df37</tt> - Linux/Ebury - Version 1.2.1<br /><tt>5d3ec6c11c6b5e241df1cc19aa16d50652d6fac0</tt> - Linux/Ebury - Version 1.3.3<br /><tt>74aa801c89d07fa5a9692f8b41cb8dd07e77e407</tt> - Linux/Ebury - Version 1.3.2<br /><tt>7adb38bf14e6bf0d5b24fa3f3c9abed78c061ad1</tt> - Linux/Ebury - Version 1.3.2<br /><tt>9bb6a2157c6a3df16c8d2ad107f957153cba4236</tt> - Linux/Ebury - Version 1.3.2<br /><tt>9e2af0910676ec2d92a1cad1ab89029bc036f599</tt> - Linux/Ebury - Version 1.3.3<br /><tt>adfcd3e591330b8d84ab2ab1f7814d36e7b7e89f</tt> - Linux/Ebury - Version 1.3.2<br /><tt>bf1466936e3bd882b47210c12bf06cb63f7624c0</tt> - Linux/Ebury - Version 1.3.2<br /><tt>d552cbadee27423772a37c59cb830703b757f35e</tt> - Linux/Ebury - Version 1.3.3<br /><tt>e14da493d70ea4dd43e772117a61f9dbcff2c41c</tt> - Linux/Ebury - Version 1.3.2<br /><tt>f1ada064941f77929c49c8d773cbad9c15eba322</tt> - Linux/Ebury - Version 1.3.2</p> <h2 dir="ltr">References</h2> <p dir="ltr">CERT‑Bund: Ebury FAQ - <a href="https://www.cert-bund.de/ebury-faq">https://www.cert-bund.de/ebury-faq</a></p> <p dir="ltr">cPanel - <a href="http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CompSystem">http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CompSystem</a></p> <p dir="ltr">Dr. Web - <a href="http://news.drweb.com/show/?i=3600&lng=en&c=5">http://news.drweb.com/show/?i=3600&lng=en&c=5</a></p> <p dir="ltr">Dr.Web - <a href="http://news.drweb.com/?i=3332&lng=en">http://news.drweb.com/?i=3332&lng=en</a></p> <p dir="ltr">Gunderson, Steinar - <a href="http://plog.sesse.net/blog/tech/2011-11-15-21-44_ebury_a_new_ssh_trojan.html">http://plog.sesse.net/blog/tech/2011-11-15-21-44_ebury_a_new_ssh_trojan.html</a></p> <p dir="ltr">SANS <a href="https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229">https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229</a></p> <p dir="ltr">WebHosting Talk - <a href="http://www.webhostingtalk.com/showthread.php?t=1235797">http://www.webhostingtalk.com/showthread.php?t=1235797</a></p> </div> <div class="article-subscribe-form mb-4"> <hr /> <div class="form-wrapper"> <div class="overlay"> <h2 class="title"> Let us keep you <br class='d-md-none'>up to date </h2> <p class="subtitle"> Sign up for our newsletters </p> <div class="form"> <form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter px-0" target="_blank" method="post" role="search"> <div class="search-input clearfix"> <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Your Email Address" required> <input type="checkbox" id="TOPIC" name="TOPIC" value="We Live Security Ukraine Newsletter"> <label for="TOPIC">Ukraine Crisis newsletter</label> <input type="checkbox" id="NEWSLETTER" name="NEWSLETTER" value="We Live Security"> <label for="NEWSLETTER">Regular weekly newsletter</label> <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3"> <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY"> <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0"> <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="0"> <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form"> <button type="submit" class="redirect-button primary">Subscribe</button> </div> </form> </div> </div> <svg class="wave-overlay" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 600 201.7451"><g><path class="cls-1" d="m600,0v176.576c0,13.8934-11.2757,25.1691-25.1691,25.1691H25.1691c-13.9034,0-25.1691-11.2757-25.1691-25.1691v-110.6331c36.0722,38.8207,82.2223,71.8325,145.2255,88.6052.0402,0,.0805.0101.1107.0301,0,0,.0906,0,.1107.0302,108.7605,28.9444,198.3321-8.95,271.9366-49.865l29.5585-16.9537L600,0Z" /></g></svg></div> </div> <div class="d-block"> <div class="post-related-articles"> <h4 class="articles-title-divider py-4 my-2"> Related Articles </h4> <div class="articles-card-grid row g-0 pb-2 pb-md-3"><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/" title="Bootkitty: Analyzing the first UEFI bootkit for Linux"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Bootkitty: Analyzing the first UEFI bootkit for Linux</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/11-2024/bootkitty/bootkitty-uefi-linux-backdoor.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/11-2024/bootkitty/bootkitty-uefi-linux-backdoor.jpeg" alt="Bootkitty: Analyzing the first UEFI bootkit for Linux" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Bootkitty: Analyzing the first UEFI bootkit for Linux</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/" title="RomCom exploits Firefox and Windows zero days in the wild"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">RomCom exploits Firefox and Windows zero days in the wild</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/11-2024/firefox-windows-zero-days-romcom.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/11-2024/firefox-windows-zero-days-romcom.jpeg" alt="RomCom exploits Firefox and Windows zero days in the wild" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">RomCom exploits Firefox and Windows zero days in the wild</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/" title="Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" alt="Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div></div></div> </div> </div> <div class="sidebar col col-lg-4 ps-5 d-none d-lg-block position-sticky"> <div class="sticky-top sticky-top--container"> <div class="pb-4"> <div class="share-article-card"> <div class="sidebar-card-media"> <div class="mb-3"> <h3 class="articles-title-divider">Share Article</h3> </div> <div class="medias"> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" title="Facebook" > <svg id="Layer_2" fill="#949ca1" class="facebook" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m30.9623,26.8125l.8054-5.2483h-5.0359v-3.4058c0-1.4358.7035-2.8354,2.9589-2.8354h2.2894v-4.4684s-2.0776-.3546-4.064-.3546c-4.1472,0-6.858,2.5137-6.858,7.0642v4h-4.61v5.2483h4.61v12.6875h5.6737v-12.6875h4.2305Z" /></g></svg> </a> <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" title="LinkedIn" > <svg id="Layer_2" fill="#949ca1" class="linkedin" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m18.7686,35.9995h-4.9757v-16.0232h4.9757v16.0232Zm-2.4905-18.2089c-1.5911,0-2.8816-1.3179-2.8816-2.9089.0002-1.5915,1.2906-2.8814,2.882-2.8812,1.5911.0002,2.881,1.29,2.8812,2.8812,0,1.5911-1.2911,2.9089-2.8816,2.9089Zm21.113,18.2089h-4.965v-7.8c0-1.8589-.0375-4.2429-2.587-4.2429-2.587,0-2.9834,2.0196-2.9834,4.1089v7.9339h-4.9704v-16.0232h4.7721v2.1857h.0696c.6643-1.2589,2.287-2.5875,4.7079-2.5875,5.0357,0,5.9614,3.3161,5.9614,7.6232v8.8018h-.0054Z" /></g></svg> </a> <a href="https://twitter.com/intent/tweet?url=https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" title="Twitter" > <svg id="Layer_2" fill="#949ca1" class="twitter" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="twitter"><g id="Layer_2-3"><g id="Research_icons"><path id="twitter-2" fill="white"d="m36.0847,16.9564c1.1786-.1395,2.3298-.4543,3.4153-.934-.7998,1.1935-1.8049,2.2357-2.9686,3.0783v.7675c0,7.8581-5.9779,16.9184-16.9184,16.9184-3.2314.004-6.3954-.9238-9.113-2.6722.4703.0571.9436.0856,1.4173.0853,2.6784.0044,5.2803-.8925,7.3871-2.5463-2.5446-.0467-4.7777-1.7068-5.5555-4.1301.3681.0703.742.1056,1.1168.1056.5293,0,1.0564-.0696,1.5676-.2071-2.775-.5608-4.7696-3.0006-4.7677-5.8317v-.0731c.826.4573,1.7488.712,2.6925.7432-2.6116-1.7476-3.4122-5.2258-1.8275-7.9394,3.0149,3.7157,7.4653,5.9771,12.2441,6.2215-.7617-3.1963,1.2119-6.4049,4.4082-7.1666,2.0894-.4979,4.285.1691,5.7444,1.7451,1.3319-.2639,2.6091-.7528,3.7768-1.4457-.4477,1.3745-1.3782,2.5402-2.6194,3.2813Z" /></g></g></g></g></svg> </a> <a href="mailto:?&subject=I wanted you to see this site&body=https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" title="mail" > <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path id="Path_7761" fill="white"d="m13.1593,14.9378c-.2808,0-.5616.0936-.8424.1872l11.8875,11.5131c.3744.468,1.0296.468,1.404.0936.0936,0,.0936-.0936.0936-.0936l12.0747-11.5131c-.2808-.0936-.5616-.1872-.7488-.1872H13.1593Zm-2.1529,1.9656v15.8188c-.0936,1.2168.8424,2.2465,2.0593,2.3401h23.8686c1.2168-.0936,2.1529-1.1232,2.0593-2.3401v-15.7252l-11.7939,11.3259c-1.2168,1.2168-3.1825,1.2168-4.3057,0l-11.8875-11.4195Z" /></g></svg> </a> <a href="https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" title="copy" class="copy-link" > <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m32.2813,27.4375l3.7-3.7c2.7-2.7,2.7-7,0-9.7-2.7-2.7-7-2.7-9.7,0h0l-5.3,5.3c-2.7,2.7-2.7,7,0,9.7.4.4.8.7,1.3,1l2.8-2.8c-.6-.1-1.1-.4-1.5-.8-1.2-1.2-1.2-3.2,0-4.4l5.3-5.3c1.3-1.2,3.2-1.1,4.4.1,1.1,1.2,1.1,3.1,0,4.3l-1.6,1.6c.7,1.4.9,3.1.6,4.7h0Zm-14.7-4.7l-3.6,3.6c-2.7,2.7-2.6,7,0,9.7,2.7,2.6,6.9,2.6,9.6,0l5.3-5.3c2.7-2.7,2.7-7,0-9.7-.4-.4-.8-.7-1.3-1l-2.8,2.8c1.7.4,2.7,2.1,2.3,3.7-.1.6-.4,1.1-.8,1.5l-5.3,5.4c-1.2,1.3-3.1,1.3-4.4.1-1.3-1.2-1.3-3.1-.1-4.4,0-.1.1-.1.1-.1l1.6-1.5c-.7-1.6-.9-3.2-.6-4.8h0Z" /></g></svg> </a> </div> </div> </div> </div> <div class="pb-4"> <a class="d-block sidebar-card-banner" href="https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2024-q3-2024/" title="Apt Activity Report" target="_blank"> <img src="https://www.welivesecurity.com/build/assets/eset-apt-activity-report-q2-2024-q3-2024-d75a59c4.webp" alt="Apt Activity Report" class="w-100" > </a> </div> </div> </div> </div> <div class="row"> <div class="col col-lg-8 pe-lg-0"> <div class="my-4"> <h3 class="articles-title-divider">Discussion</h3> </div> <div id="disqus_thread"></div> </div> </div> </div> </div>  <footer class="page-footer"> <div class="container"> <div class="row g-0"> <div class="col page-info-wrapper"> <div class="logo-wrapper"> <div class="logo"> <a href="/en/" title="Welivesecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> </div> </div> <div class="page-info"> <p> Award-winning news, views, and insight from the ESET security community </p> </div> </div> <div class="col footer-links"> <a href="/en/company/about-us/" title="About us" >About us</a> <a href="https://www.eset.com" title="ESET" >ESET</a> <a href="/en/company/contact-us/" title="Contact us" >Contact us</a> <a href="/en/company/privacy/" title="Privacy Policy" >Privacy Policy</a> <a href="/en/company/legal-information/" title="Legal Information" >Legal Information</a> <a href="/en/#" title="Manage Cookies" id="manage-cookies" onclick="event.preventDefault()" >Manage Cookies</a> <a href="/en/rss/feed/" title="RSS Feed" >RSS Feed</a> </div> <div class="col social-networks"> <a href="https://www.facebook.com/eset/" title="Join our facebook fan site!"> <svg id="Layer_2" fill="#949ca1" class="facebook" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m30.9623,26.8125l.8054-5.2483h-5.0359v-3.4058c0-1.4358.7035-2.8354,2.9589-2.8354h2.2894v-4.4684s-2.0776-.3546-4.064-.3546c-4.1472,0-6.858,2.5137-6.858,7.0642v4h-4.61v5.2483h4.61v12.6875h5.6737v-12.6875h4.2305Z" /></g></svg> </a> <a href="https://youtube.com/esetglobal" title="Watch our videos at YouTube Channel."> <svg id="Layer_2" fill="#949ca1" class="youtube" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="Layer_1-2"><g id="youtube"><g id="SOCIAL_MEDIA"><path id="youtube-2" fill="white"d="m39.3741,17.7792c-.3492-1.2938-1.3598-2.3044-2.6536-2.6536-2.3399-.625-11.7206-.625-11.7206-.625,0,0-9.3745,0-11.7206.625-1.2941.3485-2.305,1.3594-2.6536,2.6536-.4319,2.3823-.6412,4.7997-.6249,7.2208-.0162,2.4211.193,4.8385.625,7.2208.3478,1.2946,1.359,2.3058,2.6536,2.6536,2.3399.625,11.7206.625,11.7206.625,0,0,9.3807,0,11.7206-.625,1.2942-.3485,2.3051-1.3594,2.6536-2.6536.4315-2.3824.6408-4.7997.625-7.2208.0158-2.4211-.1934-4.8384-.625-7.2208h0Zm-17.374,11.7205v-8.9994l7.7933,4.4997-7.7933,4.4997Z" /></g></g></g></g></svg> </a> <a href="https://twitter.com/ESET" title="Visit the official WLS Twitter page."> <svg id="Layer_2" fill="#949ca1" class="twitter" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="twitter"><g id="Layer_2-3"><g id="Research_icons"><path id="twitter-2" fill="white"d="m36.0847,16.9564c1.1786-.1395,2.3298-.4543,3.4153-.934-.7998,1.1935-1.8049,2.2357-2.9686,3.0783v.7675c0,7.8581-5.9779,16.9184-16.9184,16.9184-3.2314.004-6.3954-.9238-9.113-2.6722.4703.0571.9436.0856,1.4173.0853,2.6784.0044,5.2803-.8925,7.3871-2.5463-2.5446-.0467-4.7777-1.7068-5.5555-4.1301.3681.0703.742.1056,1.1168.1056.5293,0,1.0564-.0696,1.5676-.2071-2.775-.5608-4.7696-3.0006-4.7677-5.8317v-.0731c.826.4573,1.7488.712,2.6925.7432-2.6116-1.7476-3.4122-5.2258-1.8275-7.9394,3.0149,3.7157,7.4653,5.9771,12.2441,6.2215-.7617-3.1963,1.2119-6.4049,4.4082-7.1666,2.0894-.4979,4.285.1691,5.7444,1.7451,1.3319-.2639,2.6091-.7528,3.7768-1.4457-.4477,1.3745-1.3782,2.5402-2.6194,3.2813Z" /></g></g></g></g></svg> </a> <a href="https://www.linkedin.com/company/eset" title="Follow us on LinkedIn."> <svg id="Layer_2" fill="#949ca1" class="linkedin" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m18.7686,35.9995h-4.9757v-16.0232h4.9757v16.0232Zm-2.4905-18.2089c-1.5911,0-2.8816-1.3179-2.8816-2.9089.0002-1.5915,1.2906-2.8814,2.882-2.8812,1.5911.0002,2.881,1.29,2.8812,2.8812,0,1.5911-1.2911,2.9089-2.8816,2.9089Zm21.113,18.2089h-4.965v-7.8c0-1.8589-.0375-4.2429-2.587-4.2429-2.587,0-2.9834,2.0196-2.9834,4.1089v7.9339h-4.9704v-16.0232h4.7721v2.1857h.0696c.6643-1.2589,2.287-2.5875,4.7079-2.5875,5.0357,0,5.9614,3.3161,5.9614,7.6232v8.8018h-.0054Z" /></g></svg> </a> <a href="https://www.welivesecurity.com/rss-configurator/" title="Don´t miss a single post!"> <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="rss"><g id="SOCIAL_MEDIA"><path id="rss-2" fill="white"d="m16.9299,36.9089c-1.8039-.0139-3.255-1.4876-3.2411-3.2915.0139-1.8039,1.4876-3.255,3.2915-3.2411,1.7931.0138,3.2398,1.4706,3.2412,3.2638-.006,1.8113-1.4791,3.2748-3.2904,3.2688-.0004,0-.0008,0-.0012,0Zm12.6168,0c-.0331-8.7521-7.1549-15.8203-15.907-15.7872h-.0014v4.6272c6.1869-.0232,11.2214,4.9731,11.2452,11.16h4.6632Zm8.0916,0c-.0503-13.2044-10.7953-23.8679-23.9997-23.8176-.0001,0-.0002,0-.0003,0v4.7628c10.5637-.0398,19.1597,8.4911,19.2,19.0548h4.8Z" /></g></g></g></svg> </a> </div> </div> <div class="row g-0"> <div class="col copyright"> Copyright © ESET, All Rights Reserved </div> </div> </div> </footer> </div>  <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/app-7a4ecde0.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/app-7a4ecde0.js"></script> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/search-7d9f58b7.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/_commonjsHelpers-042e6b4d.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/search-7d9f58b7.js"></script> <script> var disqus_config = function () { this.page.url = "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/"; this.page.identifier = "An In-depth Analysis of Linux/Ebury"; this.page.title = "21059"; this.language = "en"; }; (function() { var d = document, s = d.createElement('script'); s.src = 'https://welivesecurity.disqus.com/embed.js'; s.setAttribute('data-timestamp', +new Date()); (d.head || d.body).appendChild(s); })(); </script> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/prism-40494b65.css" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/prism-40d1b0a4.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/_commonjsHelpers-042e6b4d.js" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/prism-40494b65.css" /><script type="module" src="https://www.welivesecurity.com/build/assets/prism-40d1b0a4.js"></script> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/article-e3625c4c.css" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/article-98874652.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/table-wrapper-135558d1.js" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/article-e3625c4c.css" /><script type="module" src="https://www.welivesecurity.com/build/assets/article-98874652.js"></script></body> </html>