santiago silver - Fotolia
Researchers recently identified a new malware family named GoScanSSH that seems to target public SSH servers, but which avoids government and military IP addresses. How does the GoScanSSH malware work, and what is different about this malware?
SSH offers many improvements over Telnet and enables different types of secure, encrypted access to a system. Many enterprises consider it secure enough to expose to the internet via bastion hosts that can be used to set up encrypted access to internal systems without requiring a separate VPN -- SSH servers are often installed and ready to accept client requests by default.
While the SSH protocol and implementations are secure, researchers at Cisco Talos recently blogged about an attack they discovered that targeted systems using SSH. The GoScanSSH malware targets SSH servers using default accounts, scans the internet looking for open SSH servers and tries to brute force guess a default account to gain initial access to a system.
While Talos didn't mention if any vulnerabilities had been exploited to gain root access, many of the account names targeted by the scans -- including root and admin -- have elevated system access. Once the attacker successfully logs into the targeted system, malware is uploaded and infects that system to further spread the GoScanSSH malware. GoScanSSH malware then checks into its command-and-control (C&C) server using the Tor2web proxy service to keep the C&C server hidden from defenders.
The GoScanSSH malware uses a custom C&C protocol that gathers data about the compromised system to send back to the C&C. Once infected, a compromised system scans for additional systems to infect, while also excluding IP networks on a whitelist that are related to certain military and government networks.
One uncommon aspect of the GoScanSSH malware is that it uploads its unique binary to every system; however, this could be because the encryption keys or unique configuration data is embedded in the binary.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Alternative operating system security
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.