400,000 Linux Servers Infected by Ebury Botnet & Cases Rising

Botnets come in handy for malicious attackers who conduct cybersecurity attacks.

Ebury is one such botnet malware that has been troubling Linux servers since 2009.

Even after fifteen years, it remains in existence, evolving and using new tactics.

ESET researchers published a new report describing how malware infects a server and the measures to prevent it from spreading further.

Whatโ€™s Ebury Botnet Malware, and What Is Its Impact?

Ebury botnet malware steals credentials from the compromised servers. It is designed purely for monetary gain because sensitive data can be sold on the dark web or used to blackmail affected server admins.

In 15 years, Ebury successfully infiltrated over 400K Linux servers. That isnโ€™t a small number, but ESET says that only 25 percent are compromised.

That means nearly 100K servers are still infected and unaware of Eburyโ€™s presence.

โ€œThe perpetrators keep track of the systems they compromised, and we used that data to draw a timeline of the number of new servers added to the botnet each month,โ€ said ESET.

Eburyโ€™s Evolving

Even after the creator of botnet malware was arrested in 2017, it continued to spread. ESET regularly deploys honeypots to lure Eburyโ€™s into infecting themselves and studying the malware.

But over time, the honeypots have become inept at reacting to Eburyโ€™s infection. In one such incident, the malware brazenly sent a โ€œHello ESET honeypotโ€ message.

The malware is improving at identifying honeypots, making it more difficult for researchers.

Ebury loves targeting hosting providers because they open gates to multiple servers. Rather than going after one server, capturing and snooping on multiple servers appeals to them.

ESET rented a virtual server, and Ebury infected it in less than a week.

Hackers also love intercepting traffic and redirecting users to servers that capture credentials.

Cryptocurrency nodes are prime targets because they gain access to wallet credentials and then transfer the money.

The malware is exceptionally good at covering tracks. It uses new obfuscation techniques to hide from the adminโ€™s eyes.

The Dutch National High Tech Crime Unit (NHTCU) and ESET collaborated after finding malware on the server of a victim of cryptocurrency theft.

To learn more about the malware, check out the official research paper. You can also try an Ebury detection script that is available on GitHub.

Read More

Suggested Post