windigo post-mortem

Kevin Brott kevin.brott at
Sat Mar 22 00:51:50 EST 2014

In Debian (7.4) this is what shows up for libkeyutils.  I'm using
built-from-source ssh so I can't check for usage, but I'll take a look once
I'm in at work.  Note the attribution though, guessing this is endemic in
RH systems.

$ apt-cache show libkeyutils1
Package: libkeyutils1
Source: keyutils
Version: 1.5.5-3
Installed-Size: 19
Maintainer: Daniel Baumann <daniel.baumann at>
Architecture: amd64
Depends: libc6 (>= 2.7)
Pre-Depends: multiarch-support
Description-en: Linux Key Management Utilities (library)
 Keyutils is a set of utilities for managing the key retention facility in
 kernel, which can be used by filesystems, block devices and more to gain
 retain the authorization and encryption keys required to perform secure
 This package provides a wrapper library for the key management facility
Multi-Arch: same

On Fri, Mar 21, 2014 at 12:35 AM, Damien Miller <djm at> wrote:

> On Fri, 21 Mar 2014, mancha wrote:
> > ESET recently published an interesting post-mortem of the so-called
> > "Operation Windigo" malware campaign [1].
> >
> > OpenSSH backdoors (codename Linux/Ebury), described by ESET last month
> > [2], are a key component of Windigo's attack surface.
> What is Is it linked to by some vendor patch? AFAIK
> pristine OpenSSH never links to it.
> I saw a really early version of this trojan while helping with some
> forensics, but it was before it started hiding itself using
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at> */

More information about the openssh-unix-dev mailing list