Zombie machines used in 'brutal' SSH attacks

It's a tedious activity that can put the best of IT administrators to sleep. But as security and compliance manager for a large U.S. healthcare organization, Adam Nunn has learned to study his network activity logs religiously. He knows that when the bad guys work overtime to break his defenses, those logs can be the first sign of trouble.

He had a more relaxed approach to log checking at home. But one day he had a look and was alarmed to find that more than 1,000 brute force attacks had been targeting his personal Web server for a month.

"Unless you check your logs, you won't notice this kind of thing," Nunn said. "The fact that tons of these attacks were directed at my home Web server tells me some much larger attacks are going on and that enterprises are a target. This really worries me on the enterprise front."

David Hoelzer, owner of security research firm Cyber-Defense, said Nunn's concern is well justified. In the last few months he's seen a dramatic spike in Secure Shell [SSH] brute force authentication attacks and wordlist/username attacks. Like Nunn, he's comparing notes with other security professionals and finding that it's happening on a much broader scale. What's worse is that hackers are using a growing army of zombie machines to pull it off.

"If I were an IT admin checking my logs and seeing this for the first time, I'd be feeling a sense of dread," Hoelzer said. "This tells you that hackers are getting much better at cracking SSH. It took a long time for people to switch from Telnet to SSH, which is more secure. But if you're able to break into a network through Secure Shell, the attack is encrypted and it's a lot harder to trace."

Attackers 'finding something'

SSH, also known as Secure Socket Shell, is a Unix-based command interface and protocol, according to Whatis.com, a sister site of SearchSecurity.com. It's widely used by network administrators to control Web and other kinds of servers remotely. SSH commands are secured in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted. So when someone can penetrate a firewall through SSH, Hoelzer said, "That's a big problem."

Related news items IT shops lax about logging Botnets more menacing than ever

"When you see something widespread like this, it means attackers have found that many people are running SSH servers on the Internet, so it's seen as an attractive attack vector," he said. "Another reason this concerns me is that attackers tend not to waste their time. They don't scan randomly hoping to hit something. If they're scanning for SSH like this, there're fining something they can use."

A validated list of hosts engaged in this behavior is available on the Cyber-Defense Web site.

The zombie affect
These attacks are yet another indication of how attackers are putting their army of hijacked machines to use, Hoelzer said. "Most systems I see scanning for SSH are generally not the actual attacker," he said. "They are systems that have already been compromised that are being used to scan for weaknesses to exploit. The problem for those who try to find the source of attack is that it's not necessarily where the attacker is, but where the compromised machine is."

While the zombie army is global, he said many of the scans he's seeing appear to be coming from hijacked machines in China, Brazil and the United States. A majority of them are PCs or small business computers.

Lines of defense
Hoelzer's advice to IT managers is to avoid hooking SSH servers to the Internet if at all possible. "I tell clients, never have SSH available on the Internet, or any other administrative tool for that matter," he said.

If an IT shop finds it absolutely necessary to have Web-based access, Hoelzer said it should be very restricted. "If we restricted who could connect to SSH, that would make a big difference," he said. "I'd also advise people to use certificates for authentication if you must use a SSH server on the Internet. That essentially nullifies the attack."

Users would also do well to follow Nunn's example and check those logs regularly, he said.

"People tend to only look at logs when something has happened," he said. "This goes to show that you need to look at them regularly. People tend not to because it's a boring task. But there are some great automated tools for doing it. In a Unix environment, Logcheck is one great tool. Swatch and Security Event Correlator (SEC) are good, too."