santiago silver - Fotolia
Researchers recently identified a new malware family named GoScanSSH that seems to target public SSH servers, but which avoids government and military IP addresses. How does the GoScanSSH malware work, and what is different about this malware?
SSH offers many improvements over Telnet and enables different types of secure, encrypted access to a system. Many enterprises consider it secure enough to expose to the internet via bastion hosts that can be used to set up encrypted access to internal systems without requiring a separate VPN -- SSH servers are often installed and ready to accept client requests by default.
While the SSH protocol and implementations are secure, researchers at Cisco Talos recently blogged about an attack they discovered that targeted systems using SSH. The GoScanSSH malware targets SSH servers using default accounts, scans the internet looking for open SSH servers and tries to brute force guess a default account to gain initial access to a system.
While Talos didn't mention if any vulnerabilities had been exploited to gain root access, many of the account names targeted by the scans -- including root and admin -- have elevated system access. Once the attacker successfully logs into the targeted system, malware is uploaded and infects that system to further spread the GoScanSSH malware. GoScanSSH malware then checks into its command-and-control (C&C) server using the Tor2web proxy service to keep the C&C server hidden from defenders.
The GoScanSSH malware uses a custom C&C protocol that gathers data about the compromised system to send back to the C&C. Once infected, a compromised system scans for additional systems to infect, while also excluding IP networks on a whitelist that are related to certain military and government networks.
One uncommon aspect of the GoScanSSH malware is that it uploads its unique binary to every system; however, this could be because the encryption keys or unique configuration data is embedded in the binary.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Alternative operating system security
Related Q&A from Nick Lewis
IBM banned removable storage devices to encourage employees to use the company's internal file-sharing system. Learn how a ban like this can improve ... Continue Reading
After a comeback of the Russian-built VPNFilter botnet, home network devices are at risk. Learn how this malware targets victims with expert Nick ... Continue Reading
The TrickBot banking Trojan joined forces with IcedID to form a dual threat that targets victims for money. Discover how this union occurred and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.