In Debian (7.4) this is what shows up for libkeyutils. I'm using built-from-source ssh so I can't check for usage, but I'll take a look once I'm in at work. Note the attribution though, guessing this is endemic in RH systems. $ apt-cache show libkeyutils1 Package: libkeyutils1 Source: keyutils Version: 1.5.5-3 Installed-Size: 19 Maintainer: Daniel Baumann <daniel.baumann@xxxxxxxxxxxxxxxxxxxxxxxxx> Architecture: amd64 Depends: libc6 (>= 2.7) Pre-Depends: multiarch-support Description-en: Linux Key Management Utilities (library) Keyutils is a set of utilities for managing the key retention facility in the kernel, which can be used by filesystems, block devices and more to gain and retain the authorization and encryption keys required to perform secure operations. . This package provides a wrapper library for the key management facility system calls. Multi-Arch: same Homepage: http://people.redhat.com/~dhowells/keyutils/ On Fri, Mar 21, 2014 at 12:35 AM, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Fri, 21 Mar 2014, mancha wrote: > > > ESET recently published an interesting post-mortem of the so-called > > "Operation Windigo" malware campaign [1]. > > > > OpenSSH backdoors (codename Linux/Ebury), described by ESET last month > > [2], are a key component of Windigo's attack surface. > > What is libkeyutils.so? Is it linked to by some vendor patch? AFAIK > pristine OpenSSH never links to it. > > I saw a really early version of this trojan while helping with some > forensics, but it was before it started hiding itself using > libkeyutils.so... > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott@xxxxxxxxx> */ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev