NEWS FROM THE LAB - Tuesday, May 27, 2008

Romanian Whack-A-Mole and Linux Bots Posted by Toni @ 17:27 GMT

It doesn't always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today's example comes in the relatively ancient form of brute force SSH.

We recently received a sample containing several different files:

A psyBNC installation; legitimate software used by many for normal purposes, but it's also a common tool in an attacker's toolkit.

And a collection of scripts, binaries, and password files that were used to scan for machines that have their SSH port open.

The binaries that were used maliciously in this case were connecting to a large public IRC network. We see quite many such as these, all headed for the same network even though it does have a working abuse address and the network's administrators actually do something to the botnet channels that get reported. In our experience, the botnets are most often run by various small gangs coming largely from eastern Europe; notably from Romania.

Once one of the botnet channels has been suppressed, it takes only a few hours for a new one to pop up in the same IRC network but under a different channel name.


The botnet in this case was made up of about forty infected Linux machines, and judging by their DNS Resource Records, most of them are either webservers or mail servers, which usually have a bit fatter Internet connection than you average Joe Consumer.

The moral? Even unsophisticated attackers don't need the latest and greatest techniques if the target's passwords are weak.