ESET discovers 12 previously undetected Linux backdoors

Next story

ESET, a global leader in cybersecurity, has announced its latest discovery of 12 previously undetected Linux malware families based on OpenSSH, documented in their latest research paper “The Dark Side of the ForSSHe”. These powerful tools give attackers full control over Linux server’s operations and are widely used both by crimeware and APT groups. OpenSSH is the most common tool for system administrators to manage virtual, cloud or dedicated rented Linux servers and, as 37 percent of public-facing internet servers run Linux, OpenSSH is often a point of attack by threat actors aiming at fully controlling the targeted servers.

The research, which involved deploying custom honeypots, classifying of samples and analyzing different malware families, provides an overview of the current state of the OpenSSH backdoor landscape. By analyzing the samples, ESET researchers revealed several interesting tricks; one malware family has multiple ways of communicating with its C&C server, implementing HTTP, raw TCP and DNS. Other malware families were able to receive commands through the SSH password or include cryptocurrency mining features.

Marc-Etienne Léveillé, the senior malware researcher at ESET who led the study, commented on the significance of such threats: “Sometimes, I still hear the old adage that Linux is more secure than other operating systems and somehow immune to malware. But the threats they are facing are no less serious and we dedicate resources to research them and improve the protection against them.“

ESET’s latest research follows insights gleaned from its Windigo investigation in 2013, where ESET researchers discovered a complex botnet of Linux machines, named Operation Windigo, and assisted with disrupting the 25 thousand-strong botnet. The key component of Windigo was an OpenSSH-based backdoor named Ebury ESET researchers noted that the malicious actors performed a check if other SSH backdoors are present at the targeted system before its deployment. As most backdoors were unknown at the time, ESET decided to start hunting for them and this latest research is the result of this successful pursuit.

In order to protect systems and safeguard data, ESET recommends businesses carry out the following:

  • Keep systems up-to-date
  • Favor key-based authentication for SSH
  • Disable remote root login
  • Use a multi-factor authentication solution for SSH

Concluding on the significance of the study, Léveillé further commented: “Hopefully, these discoveries will enable significant improvements in the prevention, detection and remediation of future OpenSSH based attacks on Linux servers. Compromised servers are a cybersecurity nightmare but by working together, system administrators and malware researchers can help each other in the fight against server-side malware.”


About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit or follow us on LinkedIn, Facebook and Twitter.