Home / Definitions / Linux/Ebury

Linux/Ebury

Forrest Stroud
Last Updated May 24, 2021 7:47 am

A strain of malware that allows unauthorized access and control of an affected system. Linux/Ebury is a backdoor Trojan and credential stealer that disguises itself as a variant of OpenSSH for Linux and Unix-style operating systems.

In March 2014, software security firm ESET discovered a connection between Linux/Ebury and other malware components such as Linux/Cdorked, Win32/Glupteba.M and Perl/Calfbot. ESET uncovered the fact that all four malware strains are operated by the same group, and subsequently dubbed the malicious collection of components as Operation Windigo.

How to Identify and Clean a System Compromised by Ebury

Linux/Ebury is distributed as a modified version of OpenSSH, which is an open source alternative to Secure Shell Software (SSH). Administrators can determine if a system has been compromised by Linux/Ebury by running the following command:

ssh g

An error about a missing argument returned by the command signifies that the system in question has been compromised by Ebury.

Systems infected by Linux/Ebury should be wiped completely clean and rebuilt from scratch. And because Ebury steals login credentials through its trojanized SSH binary, unique passwords and private keys need to be created for future access to the previously infected system in order to help prevent the server from being compromised by Ebury again.