Ebury and CDorked. Full disclosure

Wednesday 24 September 11:30 - 12:00, Green room.

Evgeny Sidorov Yandex
Pierre-Marc Bureau ESET
Konstantin Otrashkevich Yandex

Infection of web servers running *nix operating systems has become more and more popular among attackers. At the same time, tools used to attack and manage compromised servers have become increasingly sophisticated. The most popular pieces of malware for *nix web servers are 'CDorked' and 'Ebury'.

The 'CDorked' malware is a set of modified web servers used to redirect web traffic to malicious content. The 'Ebury' malware is an OpenSSH backdoor used to maintain control on a server and steal credentials from infected hosts.

With the release of a paper titled 'Operation Windigo' in March 2014 by ESET, we realized that many researchers were independently analysing how Ebury and CDorked are used by a malicious gang to redirect web traffic and control thousands of servers.

In this paper, we will describe the results of two independent analyses into the same operation. We will describe how Ebury and CDorked work by providing a detailed technical analysis of these two malware families. We will then provide two sets of data showing the size and structure of the botnet. Furthermore, we will describe how the gang behind this malware is selling traffic redirection to other malicious actors.

Click here for more details about the conference.

Evgeny Sidorov

Evgeny Sidorov

Evgeny Sidorov was born in 1986 in Belarus. In 2009, he graduated from the Institute of Cryptography, Telecommunications and Computer Science with a degree in applied mathematics. Until 2012, he was an independent researcher. In 2012 he moved to Russia and joined the Safe Search team at Yandex. Evgeny is married with one child and his hobbies include sports and reading.

Pierre-Marc Bureau

Pierre-Marc Bureau

Pierre-Marc Bureau is a security intelligence program manager at anti-virus company ESET. In his position, he is responsible for investigating trends in malware and finding effective techniques to counter these threats. Prior to joining ESET, Pierre-Marc Bureau worked for a network security company where he was a senior security analyst. Pierre-Marc Bureau finished his Master's degree in computer engineering at the Ecole Polytechnique of Montreal. His studies focused mainly on the performance evaluation of malware. He has presented at various international conferences including Recon, AVAR, CARO and Virus Bulletin. His main interests lie in reverse engineering, application and network security.


Konstantin Otrashkevich

Konstantin Otrashkevich

Konstantin Otrashkevich was born in 1981 in Russia. In 2003, he graduated from the Institute of Cryptography, Telecommunications and Computer Science with a degree in software engineering. Until 2013 he was an independent researcher. After that he joined the Safe Search team at Yandex. His hobbies include bandy and fishing.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.