A week ago, a modified SSH binary was detected as Linux/SSHDoor.A by ESET. It steals SSH logins and allows backdoor access to the compromised servers.
This blog provides in-depth analysis of how this backdoor has been used in injection attacks. Two hostnames linuxrepository[.]org and openssh[.]info were found in the backdoor SSH binary.
In researching this incidence, communication behavior of this backdoor struck us as extremely interesting.
We traced three weeks’ of contacts to the two C&C servers mentioned above. (Data examined is from one single hour each day, collected by our Singapore datacenter). Each day, we observed 60 machines making relatively stable contact. The servers were obviously compromised weeks before the trojan was detected and reported. Interestingly, these servers belong to 4 netblocks in Malaysia.
It is not known how these servers got infected with the trojanized SSH binary, but it was clearly a network-wide security vulnerability, since a large number of servers on the same network got infected.
A majority of these compromised servers host up to several hundreds of websites. These websites are owned by different entities according to their registration records. We can easily imagine that hundreds of SSH logins were stolen if they’ve accessed the servers via SSH. The several thousands of hosted websites are very likely already compromised and are being used, or can be used at any minute, to server up malware or the like. Fortunately, we are not seeing much traffic to these risky sites from Umbrella customers. These sites will be closely monitored for security risks, and of course the sites we discovered to be compromised are already being blocked for our customers.
Another interesting note is that although both hostnames were found in the trojanized binary, the communications to two C&Cs are quite different. Both servers were rarely communicated with by the same compromised machine. Instead of each being used as a backup server for the other, they seem to be communicated with separately based off certain configurations (possibly server system versions). The following is a Maltego plot of the compromised machines communicating with the C&C servers (the blue dots in the center). This plot is definitely my favorite of all time. 🙂