Re: windigo post-mortem

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



In Debian (7.4) this is what shows up for libkeyutils.  I'm using
built-from-source ssh so I can't check for usage, but I'll take a look once
I'm in at work.  Note the attribution though, guessing this is endemic in
RH systems.

$ apt-cache show libkeyutils1
Package: libkeyutils1
Source: keyutils
Version: 1.5.5-3
Installed-Size: 19
Maintainer: Daniel Baumann <daniel.baumann@xxxxxxxxxxxxxxxxxxxxxxxxx>
Architecture: amd64
Depends: libc6 (>= 2.7)
Pre-Depends: multiarch-support
Description-en: Linux Key Management Utilities (library)
 Keyutils is a set of utilities for managing the key retention facility in
the
 kernel, which can be used by filesystems, block devices and more to gain
and
 retain the authorization and encryption keys required to perform secure
 operations.
 .
 This package provides a wrapper library for the key management facility
system
 calls.
Multi-Arch: same
Homepage: http://people.redhat.com/~dhowells/keyutils/



On Fri, Mar 21, 2014 at 12:35 AM, Damien Miller <djm@xxxxxxxxxxx> wrote:

> On Fri, 21 Mar 2014, mancha wrote:
>
> > ESET recently published an interesting post-mortem of the so-called
> > "Operation Windigo" malware campaign [1].
> >
> > OpenSSH backdoors (codename Linux/Ebury), described by ESET last month
> > [2], are a key component of Windigo's attack surface.
>
> What is libkeyutils.so? Is it linked to by some vendor patch? AFAIK
> pristine OpenSSH never links to it.
>
> I saw a really early version of this trojan while helping with some
> forensics, but it was before it started hiding itself using
> libkeyutils.so...
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott@xxxxxxxxx> */
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux