A criminal group whose actions have at times been responsible for one-third of the Internet’s SSH traffic—most of it in the form of SSH brute force attacks—has been cut off from a portion of the Internet.
While not a botnet takedown in the traditional sense, networking providers Level 3 Communications and Cisco have blocked traffic emanating from two address blocks used by the group, and the companies said they will continue to do so as the group migrates to new netblocks.
The hackers, dubbed SSHPsychos, have been monitored since last summer when large numbers of SSH brute force attacks were detected. Researchers at Malware Must Die and FireEye catalogued the group’s activities, including their ability to drop a Linux-based rootkit onto compromised machines.
The group scans the Internet and attempts massive numbers of SSH logins from 22.214.171.124/23, using a list of more than 300,000 passwords, Cisco said. Should the brute-force attack succeed, a box on a different IP address range logs in and requests the Linux DDoS rootkit. The file is coming from a U.S. based hosting company at 126.96.36.199, Cisco said.
The rootkit then grabs more instructions from the command and control server that include configuration files and names of files to be deleted.
Cisco’s Craig Williams, technical lead of its TALOS research team, said the company is not ready to publish numbers to describe whether their actions have been successful, but would be able to do so within a week.
In the meantime, Cisco and Level 3 said they hope their actions inspire other providers to act accordingly. In this case, however, Level 3 CSO Dale Drew said there was “little response and cooperation” from other providers and infrastructure hosts.
“Others (Tier 1 hosts) are nervous about blocking IP address space on the backbone if those addresses are not harming the backbone itself,” Drew said. “Their concern is that if a compromised machine is owned by an innocent victim who does not realize they’ve been compromised, they could be blocking legitimate traffic as well. There’s resistance to blocking.”
Drew and Williams said their two companies have been working with system owners to get them repaired.
“Situations like this make it expensive for the hackers. They have to re-group, compromise new machines and start new campaigns,” Drew said. “We’re hoping it costs them.”
FireEye reported in February on this group and said it observed a single address hitting SSH servers worldwide, tens of thousands of login attempts per server.