Signature Detail

Short Name	TROJAN:EBURY-DNS-EXFILTRATION
Severity	Critical
Recommended	Yes
Recommended Action	Drop
Category	TROJAN
Keywords	Ebury SSHd Trojan Steinar Gunderson Tunneling
Release Date	2011/11/18
Update Number	2033
Supported Platforms	di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

TROJAN: Ebury Trojaned SSH Daemon DNS Data Exfiltration

This signature detects DNS packets used as a data exfiltration technique for the Trojan named "Ebury" discovered by security researcher Steinar Gunderson. An infected machine has its SSH daemon replaced with a malicious binary that collects usernames and passwords used to log in to the infected host, then sends those credentials to a listening post as DNS packets. The trojan also allows unlogged and unauthenticated remote login to the infected host. The source IP of this event in your logs may be a compromised SSH server that should be investigated.

References

URL: http://blog.sesse.net/blog/tech/2011-11-15-21-44_ebury_a_new_ssh_trojan.html

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

TROJAN: Ebury Trojaned SSH Daemon DNS Data Exfiltration

References