Member of group behind Linux rootkit Ebury pleads guilty

In the US state of Minnesota, a 41-year-old Russian man has confessed to having participated in a group responsible for the distribution of the Ebury rootkit. It was able to steal victims’ login credentials.

In a statement, the US Department of Justice wrote that the man was charged in 2015 and subsequently arrested in Finland. By spreading the rootkit, the Russian and his accomplices were able to infect “tens of thousands of servers”, enabling them to build a large botnet, according to the ministry. They then used this to send spam and engage in click fraud, which would have made them several million dollars in profit.

The 41-year-old’s contribution, according to his admission, is in the form of a plea agreement that he created accounts with domain registrars, thereby contributing to the infrastructure of the Ebury botnet. He would also have benefited from the revenue generated by the traffic generated.

Ebury’s activity began in 2013. At the time, the German government cert launched an investigation into the malware’s activity, revealing that systems in more than 60 countries had been infected. About thirty percent of that was in the US and another ten percent in Germany. Ebury focused on Unix-like and Linux systems, modifying ssh binaries or shared ssh libraries. This allowed the malware to steal ssh data and send it to the criminals’ servers via DNS.

According to research by ESET, Ebury was part of the so-called Windigo campaign, which involved the use of various tools to infect Linux and Unix hosts. Due to the frequent presence of sites on these hosts, ESET estimated the harmful effects of the campaign to be high. For example, the sites affected were cPanel and kernel.org.