Distributed, Low-Intensity Botnets

badger.foo writes "We have seen the future of botnets, and it is distributed and low-key. Are sites running free software finally becoming malware targets? It all started with a higher-than-usual number of failed ssh logins at a low-volume site. I think we are seeing the shape of botnets to come, with malware authors doing their early public beta testing during the last few weeks."

Fleas on a dog

[try_anything]

If the bad guys can siphon off what they need without being more than a mild annoyance, they can operate without fear of retribution.

Nothing abnormal about SSH probes...

[knarf]

I've seen SSH probes on my one-man-and-a-dog site for aeons. I don't think there's anything out of the ordinary, the scum has been trying (and failing) to get in for as long as I've had something listening on the 'net - and that is a long time. There's also nothing new in them trying to root FLOSS-sites as those sites - with their fixed IP addresses, good uptime, high reliability and abundance of crappy PHP-scripts to open the doors - make for good C&C hosts for their flock.

So all I read from this flog is that a grumpy BSD user should probably check his logs more often. This is nothing new.

Re:Nothing abnormal about SSH probes...

[X0563511]

That's a DDoS, and would kick your one-man-and-a-dog site off the net. For a while, at least. And there would be nothing you could do about it.

How is this new? Botnets have had this capability for a looong time.

Re:Nothing abnormal about SSH probes...

[MichaelSmith]

That's a DDoS, and would kick your one-man-and-a-dog site off the net. For a while, at least. And there would be nothing you could do about it.

The parasite doesn't want to kill the host, because it would die too. This thing will tick away, slowly getting bigger.

Nothing new, move along

[girlintraining]

Okay, how is this different than previous patterns of hacking activity, other than the fact that they're aquiring compromised machines via a bot net? It's not! These "security researchers" remind me sometimes of my pothead friends. You can always tell someone who's new to smoking weed because they constantly ask the question, "but have you done it on WEED?" It's like somehow the idea that these people are using a botnet makes it all strange and new again. No, fail!

Re:Nothing new, move along

[ShaunC]

Okay, how is this different than previous patterns of hacking activity, other than the fact that they're aquiring compromised machines via a bot net?

You're sort of missing the point, I think, in that what's different about this pattern of activity is precisely the fact that it's being done with a botnet.

For one thing, there's a new level sophistication, primarily in that this bruteforce campaign is not the least bit random. I'm being hit by thousands of distinct attackers, yet the progression of usernames being attempted is undeniably alphabetical. Occasionally a particular username is attempted more than once, but it's typically sequential. One attempt per username with the attacking hosts only making one attempt every few hours.

The level of coordination required for this sort of attack is unprecedented. Across thousands of bots, each one at any given moment is able to determine:

• That I am among the pool of targets to be probed
• That I am, at this precise second, the next target to be probed
• That this particular bot hasn't probed me recently and is now eligible to probe me again
• Which usernames have already been probed on my machine
• The next username, in sequence, that should be attempted on my machine

In the past, brute force SSH attacks have always been obvious. Typical hit and runs. One host will spew hundreds or thousands of attempts at a target, typically in quick succession, typically focusing on system accounts, and typically trying a shitload of passwords against each account. Firewalls and IDS deployments far and wide will now easily detect (and often block) these attacks immediately because they're so easy to recognize.

This attack is very different. It's not targeting system accounts, it's hoping to get lucky against a vast list of potential userland lognames. It's only trying once or maybe twice per account. And it's distributing these attempts, round-robin style, across an impressive number of sources, with enough logic so that bot B will not attack host H unless all other bots in the network have sequentially exhausted their "token" attempt on host H.

What we're seeing is flying under the radar of a shit-ton of IDS/firewall implementations, and is harder to fight.

I would love to get my hands on the C&C database being used to coordinate all of this. Much as I hate to admit it, the architecture of this attack is unique and innovative, and I'd like to see what makes it tick.

Re:Non Distributed Botnets

[internerdj]

It is a bit more complicated than that. My job is a bit more important to me than reading the article and believe me where I work they are very unfriendly to circumventing security measures.

Re:Non Distributed Botnets

[flappinbooger]

you can read slashdot, but not a blog?

Isn't slashdot basically a big overgrown blog?

Re:Non Distributed Botnets

[ShaunC]

you can read slashdot, but not a blog?

This isn't surprising at all, even less so if he works in IT. Corporate management issues a new policy: "our computing resources are not to be used for [insert a huge list of time-wasting things employees have been caught doing in the office]." But keep in mind who's eventually tasked with implementing the policy. Given such an edict, network admins everywhere will happily block the most prolific productivity killers... Except for their own.

You'll find plenty of enterprises where MySpace, Facebook, Blogger, LiveJournal and friends all resolve to nowhere, yet geekier time pits like Slashdot and TechCrunch are wide open.