Researchers recently identified a new malware family named GoScanSSH that seems to target public SSH servers, but which avoids government and military IP addresses. How does the GoScanSSH malware work, and what is different about this malware?
SSH offers many improvements over Telnet and enables different types of secure, encrypted access to a system. Many enterprises consider it secure enough to expose to the internet via bastion hosts that can be used to set up encrypted access to internal systems without requiring a separate VPN — SSH servers are often installed and ready to accept client requests by default.
While the SSH protocol and implementations are secure, researchers at Cisco Talos recently blogged about an attack they discovered that targeted systems using SSH. The GoScanSSH malware targets SSH servers using default accounts, scans the internet looking for open SSH servers and tries to brute force guess a default account to gain initial access to a system.
While Talos didn’t mention if any vulnerabilities had been exploited to gain root access, many of the account names targeted by the scans — including root and admin — have elevated system access. Once the attacker successfully logs into the targeted system, malware is uploaded and infects that system to further spread the GoScanSSH malware. GoScanSSH malware then checks into its command-and-control (C&C) server using the Tor2web proxy service to keep the C&C server hidden from defenders.
The GoScanSSH malware uses a custom C&C protocol that gathers data about the compromised system to send back to the C&C. Once infected, a compromised system scans for additional systems to infect, while also excluding IP networks on a whitelist that are related to certain military and government networks.
One uncommon aspect of the GoScanSSH malware is that it uploads its unique binary to every system; however, this could be because the encryption keys or unique configuration data is embedded in the binary.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)