Ebury Botnet: Long-Range Malware Impacting Linux Servers

In a recent report published by the Slovak cybersecurity firm ESET, the surprising magnitude of the threat posed by the malware known as Ebury is revealed. This botnet has compromised more than 400,000 Linux servers since 2009, with more than 100,000 still under its control until the end of 2023.



Ebury, characterized as one of the most advanced for-profit server-level malware attacks, has been operating in the shadows, generating profits through various fraudulent activities. According to deep analysis by security researcher Marc-Etienne M.Léveillé, Ebury operators have been engaged in the spread of spam, redirection of web traffic and theft of credentials.



The Ebury malware, initially documented as part of the Operation Windigo campaign more than a decade ago, has been used to deploy a series of backdoors and scripts intended to manipulate web traffic and send spam. The complexity of this botnet has been such that, in August 2017, a Russian citizen, Maxim Senakh, was sentenced to almost four years in prison in the United States for his participation in the development and maintenance of this malware.


Ebury’s delivery methods are diverse and sophisticated, from stealing SSH credentials to exploiting web control panel vulnerabilities and SSH man-in-the-middle attacks. Additionally, the threat actors behind Ebury have been observed using fake or stolen identities to cover their tracks, complicating attribution efforts.


The latest version of Ebury, 1.8.2, introduces new obfuscation techniques and a Domain Generation Algorithm (DGA), making it even more difficult to detect. This malware acts as a backdoor within the OpenSSH daemon and a credential stealer, allowing attackers to deploy additional payloads and expand their presence within a compromised network.


In addition to stealing credit card and cryptocurrency information, Ebury has been used to intercept HTTP requests and send spam, leveraging compromised servers to redirect traffic and capture sensitive details from online forms. Given the complexity and potential impact of this malware, it is crucial that organizations strengthen their cybersecurity measures, from deploying security patches to proactively monitoring for suspicious activity on their networks.


At Devel, we are committed to staying at the forefront of fighting cyber threats like Ebury, providing effective solutions and expert advice to protect our clients’ digital assets.

Related Posts
Clear Filters

La Agencia de Seguridad de Infraestructura y Ciberseguridad de Estados Unidos (CISA) ha añadido una vulnerabilidad de alta severidad en…

Devel Group
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.