2 min Security

ESET discovers 21 new malware families targeting Linux

ESET discovers 21 new malware families targeting Linux

Security company ESET has announced that it has discovered 21 new Linux-based malware families. All families work in the same way: as a trojan version of the OpenSSH client. That’s what ZDNet reports.

The families managed to stay under the radar for four years. The reason for this is that Linux is safer than Windows and that there are far fewer threats to the operating system than to Windows. As a result, security companies pay less attention to malware for Linux than they do for Windows.

The malware families have been developed to be used in more complex botnet plans. Attackers enter a Linux system, generally a server, and replace the legitimate OpenSSH installation with one of the malware variants.

Eighteen of the 21 families have a function to steal credentials, according to ESET. This makes it possible to steal passwords and keys. Seventeen of the 21 families also contain a mode for a backdoor, which allows an attacker to reconnect to the machine later on without being noticed.


ESET researchers admit that they were not the discoverers of the families, but that this honour goes to another Linux malware. It’s about Windigo, also known as Ebury. The researchers analysed a Windigo botnet and its central Ebury back door. In doing so, they discovered that Ebury contained an internal mechanism that scanned for other locally installed OpenSSH backdoors.

Windigo’s creators did this via a Perl-script that scanned forty hashes that they knew were being used by competing malware groups. When those hashes were looked at, the researchers realised that they did not have samples that corresponded to most of the backdoors described in the script.

ESET has used the same list of hashes in recent years to find the malware families. Some of the original forty hashes have never been spotted, probably because their creators now use other malware. However, 21 were still used in recent years.

How exactly the back doors are placed on infected systems has not been disclosed.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.