Howto detect Ebury SSH Backdoor

by Feb 25, 2014

Die folgende Yara Signatur kann für die Erkennung der Ebury SSH Backdoor verwendet werden.

rule Ebury_SSHD_Malware_Linux {
	meta:
		description = "Ebury Malware"
		author = "Florian Roth"
		hash = "4a332ea231df95ba813a5914660979a2"
	strings:
		$s0 = "keyctl_set_reqkey_keyring" fullword
		$s1 = "recursive_session_key_scan" fullword
		$s2 = "keyctl_session_to_parent" fullword
		$s3 = "keyctl_assume_authority" fullword
		$s4 = "keyctl_get_security_alloc" fullword
		$s5 = "keyctl_instantiate_iov" fullword
		$s6 = "keyutils_version_string" fullword
		$s7 = "keyctl_join_session_keyring" fullword
		$a1 = "%[^;];%d;%d;%x;"
	condition:
		all of them
}

Wer kein Yara verwenden möchte, kann auf diesen Workaround zurückgreifen.

find /lib -type f -size -50k -exec strings -f {} \; | grep '%\[^;\];%d;%d;%x;'

Weitere Informationen zur Erkennung von Ebury CERT Bund.

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner