Zombie machines used in 'brutal' SSH attacks

By Bill Brenner, News Writer 02 Jun 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

It's a tedious activity that can put the best of IT administrators to sleep. But as security and compliance manager for a large U.S. healthcare organization, Adam Nunn has learned to study his network activity logs religiously. He knows that when the bad guys work overtime to break his defenses, those logs can be the first sign of trouble.

He had a more relaxed approach to log checking at home. But one day he had a look and was alarmed to find that more than 1,000 brute force attacks had been targeting his personal Web server for a month.

"Unless you check your logs, you won't notice this kind of thing," Nunn said. "The fact that tons of these attacks were directed at my home Web server tells me some much larger attacks are going on and that enterprises are a target. This really worries me on the enterprise front."

David Hoelzer, owner of security research firm Cyber-Defense, said Nunn's concern is well justified. In the last few months he's seen a dramatic spike in Secure Shell [SSH] brute force authentication attacks and wordlist/username attacks. Like Nunn, he's comparing notes with other security professionals and finding that it's happening on a much broader scale. What's worse is that hackers are using a growing army of zombie machines to pull it off.

"If I were an IT admin checking my logs and seeing this for the first time, I'd be feeling a sense of dread," Hoelzer said. "This tells you that hackers are getting much better at cracking SSH. It took a long time for people to switch from Telnet to SSH, which is more secure. But if you're able to break into a network through Secure Shell, the attack is encrypted and it's a lot harder to trace."

Attackers 'finding something'

SSH, also known as Secure Socket Shell, is a Unix-based command interface and protocol, according to Whatis.com, a sister site of SearchSecurity.com. It's widely used by network administrators to control Web and other kinds of servers remotely. SSH commands are secured in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted. So when someone can penetrate a firewall through SSH, Hoelzer said, "That's a big problem."

Related news items IT shops lax about logging Botnets more menacing than ever

"When you see something widespread like this, it means attackers have found that many people are running SSH servers on the Internet, so it's seen as an attractive attack vector," he said. "Another reason this concerns me is that attackers tend not to waste their time. They don't scan randomly hoping to hit something. If they're scanning for SSH like this, there're fining something they can use."

A validated list of hosts engaged in this behavior is available on the Cyber-Defense Web site.

The zombie affect
These attacks are yet another indication of how attackers are putting their army of hijacked machines to use, Hoelzer said. "Most systems I see scanning for SSH are generally not the actual attacker," he said. "They are systems that have already been compromised that are being used to scan for weaknesses to exploit. The problem for those who try to find the source of attack is that it's not necessarily where the attacker is, but where the compromised machine is."

While the zombie army is global, he said many of the scans he's seeing appear to be coming from hijacked machines in China, Brazil and the United States. A majority of them are PCs or small business computers.

Lines of defense
Hoelzer's advice to IT managers is to avoid hooking SSH servers to the Internet if at all possible. "I tell clients, never have SSH available on the Internet, or any other administrative tool for that matter," he said.

If an IT shop finds it absolutely necessary to have Web-based access, Hoelzer said it should be very restricted. "If we restricted who could connect to SSH, that would make a big difference," he said. "I'd also advise people to use certificates for authentication if you must use a SSH server on the Internet. That essentially nullifies the attack."

Users would also do well to follow Nunn's example and check those logs regularly, he said.

"People tend to only look at logs when something has happened," he said. "This goes to show that you need to look at them regularly. People tend not to because it's a boring task. But there are some great automated tools for doing it. In a Unix environment, Logcheck is one great tool. Swatch and Security Event Correlator (SEC) are good, too."

Tags: Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  Monitoring Network Traffic and Network Forensics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project Monitoring Network Traffic and Network Forensics Preventing SQL injection attacks: A network admin's perspective Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Chained Exploits: How to prevent phishing attacks from corporate spies PCI compliance requirement 10: Auditing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary