windigo post-mortem

Kevin Brott kevin.brott at gmail.com
Sat Mar 22 00:51:50 EST 2014


In Debian (7.4) this is what shows up for libkeyutils.  I'm using
built-from-source ssh so I can't check for usage, but I'll take a look once
I'm in at work.  Note the attribution though, guessing this is endemic in
RH systems.

$ apt-cache show libkeyutils1
Package: libkeyutils1
Source: keyutils
Version: 1.5.5-3
Installed-Size: 19
Maintainer: Daniel Baumann <daniel.baumann at progress-technologies.net>
Architecture: amd64
Depends: libc6 (>= 2.7)
Pre-Depends: multiarch-support
Description-en: Linux Key Management Utilities (library)
 Keyutils is a set of utilities for managing the key retention facility in
the
 kernel, which can be used by filesystems, block devices and more to gain
and
 retain the authorization and encryption keys required to perform secure
 operations.
 .
 This package provides a wrapper library for the key management facility
system
 calls.
Multi-Arch: same
Homepage: http://people.redhat.com/~dhowells/keyutils/



On Fri, Mar 21, 2014 at 12:35 AM, Damien Miller <djm at mindrot.org> wrote:

> On Fri, 21 Mar 2014, mancha wrote:
>
> > ESET recently published an interesting post-mortem of the so-called
> > "Operation Windigo" malware campaign [1].
> >
> > OpenSSH backdoors (codename Linux/Ebury), described by ESET last month
> > [2], are a key component of Windigo's attack surface.
>
> What is libkeyutils.so? Is it linked to by some vendor patch? AFAIK
> pristine OpenSSH never links to it.
>
> I saw a really early version of this trojan while helping with some
> forensics, but it was before it started hiding itself using
> libkeyutils.so...
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */


More information about the openssh-unix-dev mailing list