Distributed, Low-Intensity Botnets

badger.foo writes "We have seen the future of botnets, and it is distributed and low-key. Are sites running free software finally becoming malware targets? It all started with a higher-than-usual number of failed ssh logins at a low-volume site. I think we are seeing the shape of botnets to come, with malware authors doing their early public beta testing during the last few weeks."

Fleas on a dog

[try_anything]

If the bad guys can siphon off what they need without being more than a mild annoyance, they can operate without fear of retribution.

Nothing abnormal about SSH probes...

[knarf]

I've seen SSH probes on my one-man-and-a-dog site for aeons. I don't think there's anything out of the ordinary, the scum has been trying (and failing) to get in for as long as I've had something listening on the 'net - and that is a long time. There's also nothing new in them trying to root FLOSS-sites as those sites - with their fixed IP addresses, good uptime, high reliability and abundance of crappy PHP-scripts to open the doors - make for good C&C hosts for their flock.

So all I read from this flog is that a grumpy BSD user should probably check his logs more often. This is nothing new.

Re:Nothing abnormal about SSH probes...

[kithrup]

The difference is a big one, and it should terrify you.

Instead of a single host doing a few dozen or hundred ssh attempts -- which can be easily blocked, even automatedly -- this is a bunch of different hosts doing a coordinated attack. Low-key for the moment, sure -- each host has attempted to only do one or two probes at a time. But still the coordination is undeniable.

And the part that should terrify you: if the coordinator, instead of having each host do a couple of probes in succession, chose instead to have all of the probes come in at once. From random hosts in the botnet.

That's a DDoS, and would kick your one-man-and-a-dog site off the net. For a while, at least. And there would be nothing you could do about it.

Re:Nothing abnormal about SSH probes...

[X0563511]

That's a DDoS, and would kick your one-man-and-a-dog site off the net. For a while, at least. And there would be nothing you could do about it.

How is this new? Botnets have had this capability for a looong time.

Re:Nothing abnormal about SSH probes...

[MichaelSmith]

That's a DDoS, and would kick your one-man-and-a-dog site off the net. For a while, at least. And there would be nothing you could do about it.

The parasite doesn't want to kill the host, because it would die too. This thing will tick away, slowly getting bigger.

Re:Nothing abnormal about SSH probes...

That's a DDoS, and would kick your one-man-and-a-dog site off the net. For a while, at least. And there would be nothing you could do about it.

That has existed pretty much since the popularity of the web, and there are ways around it, they are very expensive, but this changes nothing.

What we need is, against the better judgement of the white hats, someone to release a patch to permanently patch and firewall these botnets from the face of the earth. Yeah it'd break stuff, too bad.

Re:Non Distributed Botnets

[internerdj]

I can't RTFA at work cause it is a blog, but in this case, my guess would be: Not-distributed probably means a centralized C&C architecture which has been traditionally the case, as opposed to a de-centralized (AKA distributed) P2P type C&C architecture.

Nothing new, move along

[girlintraining]

Okay, how is this different than previous patterns of hacking activity, other than the fact that they're aquiring compromised machines via a bot net? It's not! These "security researchers" remind me sometimes of my pothead friends. You can always tell someone who's new to smoking weed because they constantly ask the question, "but have you done it on WEED?" It's like somehow the idea that these people are using a botnet makes it all strange and new again. No, fail!

Re:Nothing new, move along

[ShaunC]

Okay, how is this different than previous patterns of hacking activity, other than the fact that they're aquiring compromised machines via a bot net?

You're sort of missing the point, I think, in that what's different about this pattern of activity is precisely the fact that it's being done with a botnet.

For one thing, there's a new level sophistication, primarily in that this bruteforce campaign is not the least bit random. I'm being hit by thousands of distinct attackers, yet the progression of usernames being attempted is undeniably alphabetical. Occasionally a particular username is attempted more than once, but it's typically sequential. One attempt per username with the attacking hosts only making one attempt every few hours.

The level of coordination required for this sort of attack is unprecedented. Across thousands of bots, each one at any given moment is able to determine:

• That I am among the pool of targets to be probed
• That I am, at this precise second, the next target to be probed
• That this particular bot hasn't probed me recently and is now eligible to probe me again
• Which usernames have already been probed on my machine
• The next username, in sequence, that should be attempted on my machine

In the past, brute force SSH attacks have always been obvious. Typical hit and runs. One host will spew hundreds or thousands of attempts at a target, typically in quick succession, typically focusing on system accounts, and typically trying a shitload of passwords against each account. Firewalls and IDS deployments far and wide will now easily detect (and often block) these attacks immediately because they're so easy to recognize.

This attack is very different. It's not targeting system accounts, it's hoping to get lucky against a vast list of potential userland lognames. It's only trying once or maybe twice per account. And it's distributing these attempts, round-robin style, across an impressive number of sources, with enough logic so that bot B will not attack host H unless all other bots in the network have sequentially exhausted their "token" attempt on host H.

What we're seeing is flying under the radar of a shit-ton of IDS/firewall implementations, and is harder to fight.

I would love to get my hands on the C&C database being used to coordinate all of this. Much as I hate to admit it, the architecture of this attack is unique and innovative, and I'd like to see what makes it tick.

Re:Non Distributed Botnets

[internerdj]

It is a bit more complicated than that. My job is a bit more important to me than reading the article and believe me where I work they are very unfriendly to circumventing security measures.

Re:Non Distributed Botnets

[flappinbooger]

you can read slashdot, but not a blog?

Isn't slashdot basically a big overgrown blog?

Re:Isn't that...

[davester666]

Um, ssh attacks aren't new. They've been hitting my server's for year's, and mine are for a private consulting company, with trivial amounts of random 'consumer' traffic.

Re:Non Distributed Botnets

[ShaunC]

you can read slashdot, but not a blog?

This isn't surprising at all, even less so if he works in IT. Corporate management issues a new policy: "our computing resources are not to be used for [insert a huge list of time-wasting things employees have been caught doing in the office]." But keep in mind who's eventually tasked with implementing the policy. Given such an edict, network admins everywhere will happily block the most prolific productivity killers... Except for their own.

You'll find plenty of enterprises where MySpace, Facebook, Blogger, LiveJournal and friends all resolve to nowhere, yet geekier time pits like Slashdot and TechCrunch are wide open.

Re:Surprise, surprise

[ShaunC]

So we are still user password-based SSH authentication?

The problem is that in any sort of working environment, where you have a very heterogeneous user base, it's really really hard to enforce anything else.

Users - even the most basic of users - can be trained to enter a username and a password. They do it on Hotmail, they do it on Google, they do it on MySpace, they're used to the idea that when they want to login somewhere, they have to enter a username and a password. "That's how the internet works." So when their job functions require that they PuTTY into a box and make a couple choices from a shell-script menu, training them to enter a username and password is no big deal. Getting them to wrap their brains around a different authentication scheme is very difficult, even if your user base is fairly adept. Trying to set it all up for them is beyond the scope of most IT departments.

I've come to use passwordless key-based auth for ssh, but not so much for security as for convenience. I share a single DSA key across 6 or 8 machines because it's damn easy to generate a key on one box, append it to ~/.ssh/authorized_keys2 on all of them, and forget all about it from there on out. ssh just works. svn just works. rsync just works. You create your key and make it common among your systems, everything is...fluid. But try convincing someone who isn't a sysadmin, and doesn't have to deal with multiple machines, and doesn't use other applications that tunnel on top of ssh, that there's a benefit to setting up "weird encryption key stuff."

I have a 1u (personal, non-work-related) server in a colo facility. There are fewer than 10 users, all close friends, all tech savvy, all CS/IT types. Even with this very specialized audience, I couldn't convince all of them to switch to key-based auth; if I disabled PasswordAuthentication, I wouldn't hear the end of it. Temporarily moving sshd to a different port was hard enough. I can't even begin to imagine the hell that would ensue if they suddenly went key-based only at work.