Ebury SSH rootkit

#22241 by Mad_Dud
Mon Feb 17, 2014 9:59 am

Could anyone share source code or sample of this rootkit?

SID:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 \
(msg:"Ebury SSH Rootkit data exfiltration";\
content:"|12 0b 01 00 00 01|"; depth:6;\
pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\
reference:url,https://www.cert-bund.de/ebury-faq;\
classtype:trojan-activity; sid:10001; rev:1;)

Additional information:
http://www.microsoft.com/security/porta ... %2fEbury.A
https://www.cert-bund.de/ebury-faq‎
https://isc.sans.edu/diary/SSHD+rootkit ... wild/15229

Regards,
Dud

Username

Mad_Dud

Posts

6

Joined

Thu Jun 06, 2013 3:15 pm

Re: Ebury SSH rootkit

#22274 by rkhunter
Sat Feb 22, 2014 1:27 pm

http://www.welivesecurity.com/2014/02/2 ... inuxebury/

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Ebury SSH rootkit

#22295 by Xylitol
Tue Feb 25, 2014 2:19 am

In attachement:
5d3ec6c11c6b5e241df1cc19aa16d50652d6fac0 – Linux/Ebury – Version 1.3.3
09c8af3be4327c83d4a7124a678bbc81e12a1de4 – Linux/Ebury – Version 1.3.2
bf1466936e3bd882b47210c12bf06cb63f7624c0 – Linux/Ebury – Version 1.3.2
e14da493d70ea4dd43e772117a61f9dbcff2c41c – Linux/Ebury – Version 1.3.2
adfcd3e591330b8d84ab2ab1f7814d36e7b7e89f – Linux/Ebury – Version 1.3.2
39ec9e03edb25f1c316822605fe4df7a7b1ad94a – Linux/Ebury – Version 1.3.2
471ee431030332dd636b8af24a428556ee72df37 – Linux/Ebury – Version 1.2.1

Attachments

Ebury.zip

infected
(107.64 KiB) Downloaded 89 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact