santiago silver - Fotolia
Researchers recently identified a new malware family named GoScanSSH that seems to target public SSH servers, but which avoids government and military IP addresses. How does the GoScanSSH malware work, and what is different about this malware?
SSH offers many improvements over Telnet and enables different types of secure, encrypted access to a system. Many enterprises consider it secure enough to expose to the internet via bastion hosts that can be used to set up encrypted access to internal systems without requiring a separate VPN -- SSH servers are often installed and ready to accept client requests by default.
While the SSH protocol and implementations are secure, researchers at Cisco Talos recently blogged about an attack they discovered that targeted systems using SSH. The GoScanSSH malware targets SSH servers using default accounts, scans the internet looking for open SSH servers and tries to brute force guess a default account to gain initial access to a system.
While Talos didn't mention if any vulnerabilities had been exploited to gain root access, many of the account names targeted by the scans -- including root and admin -- have elevated system access. Once the attacker successfully logs into the targeted system, malware is uploaded and infects that system to further spread the GoScanSSH malware. GoScanSSH malware then checks into its command-and-control (C&C) server using the Tor2web proxy service to keep the C&C server hidden from defenders.
The GoScanSSH malware uses a custom C&C protocol that gathers data about the compromised system to send back to the C&C. Once infected, a compromised system scans for additional systems to infect, while also excluding IP networks on a whitelist that are related to certain military and government networks.
One uncommon aspect of the GoScanSSH malware is that it uploads its unique binary to every system; however, this could be because the encryption keys or unique configuration data is embedded in the binary.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Alternative operating system security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.