The Montreal branch of a security company is patting itself on the back for being among the resources used by the FBI to help convict a Russian for his role in creating and spreading the Linux-based Ebury botnet.
Alexis Dorais-Joncas, security intelligence team lead at the Montreal malware lab of ESET, said work done by researcher Marc-Étienne Léveillé contributed to the evidence mounted by the FBI which led to the guilty plea last week of Maxim Senakh to conspiring to violate the U.S. Computer Fraud and Abuse Act and to commit wire fraud. In exchange for the plea nine other charges were dropped.
Senakh, who had been extradited from Finland to the U.S. in 2015 on the changes, will be sentenced later this year.
However, the botnet – which Dorais-Joncas said has pulled in “millions of dollars” in revenue – is still operating.
“In 2013 we started investigating, and published report 2014,” said Dorais-Joncas. “This got the attention of the FBI. We kept in touch with them and assisted them with technical details on tools the bad guys were using and the infrastructure they were using to support their operation, as well as identified some victims.”
Senakh plead guilty to being part of a conspiracy that starting in 2008 installed malware dubbed Ebury in Minnesota and around the world to steal administrator credentials not only on Linux servers but also from servers that connected to the infected servers. The botnet then created was used to generate revenue from click-fraud through ads on infected Web pages on unsuspecting sites, and spreading spam. When victims clicked on links in the spam they were taken to Websites of advertisers affiliated with the conspirators.
It was a chain, said Dorais-Joncas – anyone who connected to an infected server got infected themselves.
Senakh faces a maximum of five years in prison, a supervised release term of up to three years and a fine of up to $250,000. The guilty plea agreement is only for the judicial district of Minnesota and doesn’t bind any other U.S. jurisdiction from laying criminal charges.
The biggest revelation of the ESET investigation of the botnet – which began in 2013 – is the gang’s skills in Linux systems administration, said Dorais-Joncas. “They know how to manage Linux servers, and how to stay hidden on servers. They employ tricks to prevent legitimate owners from detecting infection.” For example, not every visitor to an infected Web site received malicious content: There was an “extensive list” of criteria before malware would be served. And the same IP address couldn’t get malicious code more than once a day. And if a real admin logged into the server and ran tools to analyze server behavior malicious content would be hidden.
Marc-Étienne Léveillé was part of a team (including CERT-Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN) which first wrote about what came to be called Ebury in 2014. In that report he noted the backdoor malware stole OpenSSH credentials by installing a malicious library and a patch to the main OpenSSH binaries.
A subsequent ESET blog, which dubbed the campaign Operation Windigo, was published a month later with more detail.
It isn’t easy to detect the altered SSH clients, Dorais-Joncas said, although there are tools that can do it. The malware prevent system administrators from noticing the file modifications when issuing the usual rpm –verify openssh-servers command. However, running rpm -qi openssh-servers would clearly show that the package signatures are missing, which should be considered suspicious.
The best way to clean a server is re-install the operating system and change all passwords – and every infected server in an an organization has to be cleansed at the same time or when it is put back online it will be immediately re-infected.
The way the attack worked didn’t expose a lack of security awareness, Dorais-Joncas said – although he admitted that in 2014 when ESET researchers spoke about the infection at Linux conferences attendees were surprised. They were more used to handling Linux attacks for stealing data, he said.
That’s one of the lessons for administrators, he said: They they have to know these kind of threats exist. They also need to use tools for detecting changes to the operating system.
The CERT-BUND has put up this FAQ page for admins: https://www.cert-bund.de/ebury-faq , although some information is out of date. Sysadmins can also contact ESET for information at windigo [AT] eset[.]com.