Zombie machines used in 'brutal' SSH attacks

By Bill Brenner, News Writer 02 Jun 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

It's a tedious activity that can put the best of IT administrators to sleep. But as security and compliance manager for a large U.S. healthcare organization, Adam Nunn has learned to study his network activity logs religiously. He knows that when the bad guys work overtime to break his defenses, those logs can be the first sign of trouble.

He had a more relaxed approach to log checking at home. But one day he had a look and was alarmed to find that more than 1,000 brute force attacks had been targeting his personal Web server for a month.

"Unless you check your logs, you won't notice this kind of thing," Nunn said. "The fact that tons of these attacks were directed at my home Web server tells me some much larger attacks are going on and that enterprises are a target. This really worries me on the enterprise front."

David Hoelzer, owner of security research firm Cyber-Defense, said Nunn's concern is well justified. In the last few months he's seen a dramatic spike in Secure Shell [SSH] brute force authentication attacks and wordlist/username attacks. Like Nunn, he's comparing notes with other security professionals and finding that it's happening on a much broader scale. What's worse is that hackers are using a growing army of zombie machines to pull it off.

"If I were an IT admin checking my logs and seeing this for the first time, I'd be feeling a sense of dread," Hoelzer said. "This tells you that hackers are getting much better at cracking SSH. It took a long time for people to switch from Telnet to SSH, which is more secure. But if you're able to break into a network through Secure Shell, the attack is encrypted and it's a lot harder to trace."

Attackers 'finding something'

SSH, also known as Secure Socket Shell, is a Unix-based command interface and protocol, according to Whatis.com, a sister site of SearchSecurity.com. It's widely used by network administrators to control Web and other kinds of servers remotely. SSH commands are secured in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted. So when someone can penetrate a firewall through SSH, Hoelzer said, "That's a big problem."

Related news items IT shops lax about logging Botnets more menacing than ever

"When you see something widespread like this, it means attackers have found that many people are running SSH servers on the Internet, so it's seen as an attractive attack vector," he said. "Another reason this concerns me is that attackers tend not to waste their time. They don't scan randomly hoping to hit something. If they're scanning for SSH like this, there're fining something they can use."

A validated list of hosts engaged in this behavior is available on the Cyber-Defense Web site.

The zombie affect
These attacks are yet another indication of how attackers are putting their army of hijacked machines to use, Hoelzer said. "Most systems I see scanning for SSH are generally not the actual attacker," he said. "They are systems that have already been compromised that are being used to scan for weaknesses to exploit. The problem for those who try to find the source of attack is that it's not necessarily where the attacker is, but where the compromised machine is."

While the zombie army is global, he said many of the scans he's seeing appear to be coming from hijacked machines in China, Brazil and the United States. A majority of them are PCs or small business computers.

Lines of defense
Hoelzer's advice to IT managers is to avoid hooking SSH servers to the Internet if at all possible. "I tell clients, never have SSH available on the Internet, or any other administrative tool for that matter," he said.

If an IT shop finds it absolutely necessary to have Web-based access, Hoelzer said it should be very restricted. "If we restricted who could connect to SSH, that would make a big difference," he said. "I'd also advise people to use certificates for authentication if you must use a SSH server on the Internet. That essentially nullifies the attack."

Users would also do well to follow Nunn's example and check those logs regularly, he said.

"People tend to only look at logs when something has happened," he said. "This goes to show that you need to look at them regularly. People tend not to because it's a boring task. But there are some great automated tools for doing it. In a Unix environment, Logcheck is one great tool. Swatch and Security Event Correlator (SEC) are good, too."

Tags: Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  Monitoring Network Traffic and Network Forensics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Hacker attack techniques and tactics: Understanding hacking strategies Rootkit Hunter demo: Detect and remove Linux rootkits Botnet threats and countermeasures Conficker worm much smaller than feared Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw Monitoring Network Traffic and Network Forensics Chained Exploits: How to prevent phishing attacks from corporate spies PCI compliance requirement 10: Auditing Know when you need IDS, IPS or both An inside look at security log management forensics investigations How to analyze a TCP and UDP network traffic spike How to perform a network forensic analysis and investigation Tying log management and identity management shortens incident response The telltale signs of a network attack Cyberattack mapping could alter security defense strategy Should the government reduce its external Internet connections?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary