Re: S: ssh worms FAQ
From: jayjwa (jayjwa_at_nowhere.org)
Date: 09/18/04
- Next message: jayjwa: "Re: ssh worms FAQ"
- Previous message: Bill Unruh: "Re: S: ssh worms FAQ"
- Maybe in reply to: Tim Haynes: "Re: S: ssh worms FAQ"
- Next in thread: Joe: "Re: S: ssh worms FAQ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 18 Sep 2004 06:38:52 -0000
On 2004-09-15, Innocenti Maresin <av95@comtv.ru> wrote:
> Hello!
>
> There is many ssh worms in the Internet since this summer.
> These worms often try to access
> "test", "guest", "admin", "user" and "root" accounts.
These aren't "worms". "worm" as it's used today is a mis-nomer for
virus (I'm not going to argue this point again, see the alt.virus
groups for many of my posts about that and my references). These are
are straight-up attacks from other people. I'm sure there's an
automatted script or two, but by and large they are people sitting
down at another machine running attack tools. I've been following this
and have studied it in depth, and have recoverd quite alot of the
evidence off machines compromised in this way (logs, history files,
shell histories, downloaded tools & archives, tgz's, two different
viruses download and placed on the machines, several version of the
linux ptrace exploit, etc). Most of the machines that get nailed had
weak passwords with BS accounts like "test" and "guest". The first
copies of the tools to appear were crude, and only tried several
combos of those logins, and "root", in pairs, like "test:test",
"guest:guest". They generated IP lists (like you can do with nmap) and
sometimes wrote shell scripts to try ssh at the listed IP's with
several sets of those logins. Letting this run overnight, sometimes in
the morning the script kiddies would get lucky. Then they'd use local
exploits like mremap, do_brk, kmem/ptrace- all recent and semi-recent
kernel bugs to try for root. If they could get root, they compromised
the system further, installing rootkits. I've pulled copies of SucKit,
T0rn, and couple others off those systems. Some of the original URL's
are still up in Romainia today, many in the .go.ro domain. Later
version of the tools were C programs linked against libssh,
statically, and had larger lists of passwords. Most of the passwords
were still dictionary words, and 8 characters, or about 8-10
characters. This tool was posted on various exploit boards, and adding
passwords to the list is a trivial matter. Later versions of the tools
added longer and longer lists of passwords, and more complex
passwords, plus they tried to login to accounts that may be left open
but shouldn't be- like httpd, mysql, nobody, etc.
Once the attackers got in, they almost always do the same thing:
install IRC crap, BNC's (I found a copy of PsyBNC), Bot's ("fastmech",
really "energymech"), and the like. There was even a channel on
Undernet for awhile that had these bots connect to, since the config
file in the tgz was already setup to connect there. This tgz was named
"mech.tgz". Others were spl.tgz, god.tgz. xpl.tgz, rkid.tgz. They were
frequently loaded with copies of Linux viruses RST (the Remote Shell
Trojan) and OSF (ELF infector, one of the more successful). In one
archive, I found over 5 copies of RST, with names like "ls" and
"sanders". I did an in-depth study on RST, and disassembled it. While
reseaching it, I found material from years back were a similar thing
happened: ssh's were attached, attackers broke in, they ran copies of
RST. Although RST checks for active reversing with checks for
ptrace/TRACEME, it was frequently found attached to kernel exploits
that involved ptrace; probably to try to boost the virus's power by
making sure it had root rights when run (if the exploit was
successful). There exist 3 files with all the tests and work I did on
it: RST.linux.02.zoo, SSH-bruteforce.zoo, and ssh-crack.rar; zoo and
rar archives. The report on RST is 'RST.Report.txt'.
There IS an actual file called "sshworm", but it's not very
impressive- just a shell script that tries to look for ssh keys and
login to systems it finds. It depends on alot of special circumstances
and users having their accounts setup just so, so it's very unlikely
to ever get farther than POC code (and hasn't, to date.). You kinda
have to help it along to get it going. The two scenerios
aren't/weren't related.
-- --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++
- Next message: jayjwa: "Re: ssh worms FAQ"
- Previous message: Bill Unruh: "Re: S: ssh worms FAQ"
- Maybe in reply to: Tim Haynes: "Re: S: ssh worms FAQ"
- Next in thread: Joe: "Re: S: ssh worms FAQ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
