Skip to content ↓ | Skip to navigation ↓

A Russian man has pleaded guilty to helping to create and operate a botnet of tens of thousands of machines infected with Ebury malware.

On 28 March 2017, Maxim Senakh, 41, of Velikii Novgorod, Russia pleaded guilty to a conspiracy to violate the Computer Fraud and Abuse Act and conspiracy to commit wire fraud. Law enforcement originally indicted Senakh on 13 January 2015. Some time thereafter, Finnish authorities arrested the man and extradited him to the United States.

According to his plea admissions, Senakh and his co-conspirators created a botnet consisting of tens of thousands of infected machines located all around the world including in the United States. They compromised those computers using Ebury, an SSH rootkit/backdoor which targets Linux and Unix environments by stealing SSH login credentials and private keys.

The malware arrives either as a malicious library or a patch to the OpenSSH libraries, infects a system at the root level, and then sends off its stolen information to the attackers. It also creates a remote root shell through which the attackers can gain access on infected hosts even if someone changes the passwords for user accounts.

Ebury timeline. (Source: ESET)

Back in 2011, one criminal used Ebury to infect the Linux Kernel Organization’s kernel.org and the Linux Foundation’s servers. Some of those servers remained offline for a month. But as noted by Bleeping Computer, the malware is a shadow of its former self today due to extensive sinkholing in the industry.

ESET provides more information on Ebury here.

The Ebury botnet proved to be the launchpad for secondary attack campaigns launched by Senakh and his fellow criminals. As the U.S. Department of Justice explains in a statement:

“Senakh and his co-conspirators used the Ebury botnet to generate and redirect internet traffic in furtherance of various click-fraud and spam e-mail schemes, which fraudulently generated millions of dollars in revenue. As part of the plea, Senakh admitted that he supported the criminal enterprise by creating accounts with domain registrars which helped build the Ebury botnet infrastructure and personally profited from traffic generated by the Ebury botnet.”

Sentencing is set to take place on 3 August 2017.

News of Senakh’s plea arrives less than a week after 29-year-old Mark Vartanyan pleaded guilty to creating Citadel, malware which infected over 11 million PCs and stole an astonishing $500 million from bank accounts.