Cisco’s Talos research group and Level 3 Communications have joined forces in an effort to disrupt the activities of a malicious actor that has been using Secure Shell (SSH) brute force attacks to distribute a sophisticated Linux DDoS bot.
The activities of this group, dubbed “SSHPsychos,” were first documented by the MalwareMustDie research group last year. In February, FireEye also published a report on the threat actor’s operations.
The attackers use a list of more than 300,000 unique passwords in an effort to guess root passwords. Cisco noticed in the first quarter of 2015 that the number of SSH authentication attempts from the netblock used by the group was larger than the number of attempts from all other hosts combined. In fact, at times, the attackers’ activities accounted for more than a third of the total Internet SSH traffic, Cisco said.
Once the SSH login is successful, the malicious actor, which is believed to have Chinese roots, downloads the XOR.DDoS malware onto the victim’s system. Researchers previously noted that XOR.DDoS is different from other DDoS bots because it’s written in C/C++ and it uses a rootkit component for persistence.
The malware can launch DDoS attacks against a list of targets provided by the command and control (C&C) server, and it can also download and execute other files.
After seeing that the reports published by the IT security community have not discouraged the malicious actor, Cisco and Level 3 decided to take action and try to remove he threat from the Internet. First, experts learned everything they could on the malware, and assessed the scale of the campaign and its impact. Then, the companies removed the routing capabilities for the netblocks used by the cybercriminals and urged other network operators to do the same. By blackholing attack traffic inside its global network, Level 3 has limited the threat group’s ability to compromise systems and deliver malware.
This operation doesn’t completely disrupt the activities of the SSHPsychos group, but at least it slows them down, experts noted.
At one point, SSHPsychos moved their scanning operation from 103.41.124.0/23 to 43.255.190.0/23, and changed multiple malware and C&C server IP addresses. It’s likely that they will make further changes in an effort to resurrect their DDoS capabilities.
“While these changes protect the portions of the Internet overseen by Level 3, we believe there is still more to be done. We ask that others join us to stop malicious traffic from spreading on the internet,” Cisco researchers wrote in a blog post. “We encourage ISPs and network administrators to join our efforts to curb this specific group, by removing the routes for these networks in a controlled and responsible manner. If we work together, we have the opportunity to eliminate a group that is making no effort to hide their malicious activity.”
