The dark side of the ForSSHe


In February 2014, ESET researchers from Montreal published a report on a group who compromised more than 40,000 Linux servers worldwide since 2011. This research was presented at the LCA 2015 as Operation Windigo. The modus operandi of this campaign consisted mainly in stealing login credentials through an OpenSSH backdoor called Ebury, allowing them to extend their network of compromised servers. Prior to the installation of the backdoor, operators used a recon script to collect a handful of information, including the presence of other OpenSSH backdoors on the system. In 3 years, we collected hundreds of undocumented samples matching the rules based on the signatures we extracted from the script. This talk will present the analysis we made of these samples, from the most basic ones to advanced ones involving exotic encryption algorithms, anti-logging and diverse methods of exfiltration. In order to pivot on these findings, we have setup a custom honeypot infrastructure and let the operators behind the backdoors play with it. We will present the checks they make before deploying their malware, how they install it and the lateral movements we observed so far. We will also talk about the new samples we were able to obtain thanks to this poker strike. Finally, we will give some pointers on preventing this kind of threats and how one can ensure the legitimacy of OpenSSH daemons and clients.

Presented by

    Hugo Porcher

    Hugo Porcher recently graduated from a double degree program in computer security: a M. Eng. from the École de technologie supérieure (Canada) and a B. Eng. from the University of Technology of Troyes (France). He is now working as a Malware Researcher at ESET where he performs analysis of complex threats and tries to conquer the world through the art of reverse engineering. In his free time, he enjoys sliding sports such as surfing and skiing, and expanding his knowledge in reading kryptic technical papers or books and doing CTF challenges.

    romain dumont

    Romain Dumont was hired by ESET in January 2017 as a malware researcher. He does not have a focus on a specific malware family but he likes to experiment all kinds of malware. He previously worked as a security consultant at Thales where he performed penetration tests.