OpenSSH, a suite of networking software that allows secure communications over an unsecured network, is the most common tool for system administrators to manage rented Linux servers. And given that over one-third of public-facing internet servers run Linux, it shouldn’t come as a surprise that threat actors would exploit OpenSSH’s popularity to gain control of them.

How severe is the threat?

Nearly five years ago, ESET researchers helped to disrupt a 25 thousand-strong botnet of Linux machines that were saddled with an OpenSSH-based backdoor and credential stealer named Ebury. The attackers wielding it first performed a check if other SSH backdoors are present at the targeted system before deploying the malware.

This spurred the researchers to search for and analyze these type of (server-side OpenSSH) backdoors.

“Malicious OpenSSH binaries are quite common and have features that help us detect them among legitimate OpenSSH binaries. While, as soon as we got them, we used the samples collected to improve our detection, we only began sorting and analyzing them in 2018. Surprisingly, we discovered many new backdoor families that had never been documented before,” they noted in a recently released report detailing nine previously documented and 12 new OpenSSH malware families.

Stealing credentials, creating a backdoor, gaining root access

They found that there is a wide spectrum of complexity in backdoor implementation, starting from off-the-shelf malware to obfuscated samples and network protocols, but that all of them are the result of modifying and recompiling the original portable OpenSSH source used on Linux.

Also, that there are multiple code bases for the various backdoors, but that most of them share similar basic features (e.g., hardcoded credentials to activate a backdoor mode, credential stealing).

All of the collected samples copy the stolen credentials to a local file, even though attackers then must log back onto the compromised machine to retrieve the file. But some of the malware families are also capable of pushing the credentials on the network.

“Interestingly, those backdoors were also the most complex ones; not one was based on publicly-available source code,” the researchers found. “Exfiltration techniques for stolen SSH credentials are creative and include SMTP (mail sent to malicious operator), HTTP, DNS, and even custom protocols using TCP and UDP.”

The malware configures the OpenSSH daemon to make sure attackers can gain a root shell on the system and bypasses logging functionality so that it does not leave traces on the system.

Mitigation advice

The report contains more details about each malware family, as well as indicators of compromise, YARA rules and instructions that can come in handy for detecting existing intrusions.

Even though the researchers can’t determine the infection vector used to install these OpenSSH backdoors into systems, they advise administrators to use long and complex passwords or even disable password authentication and switch to using key-based authentication for SSH.

“The most efficient solution would be to use multi-factor authentication. While OpenSSH doesn’t support built-in multi-factor authentication it can be achieved through PAM. Existing solutions include the OATH Toolkit and google-authenticator-libpam.

Finally, disabling remote root login is also a good idea.