Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Cisco, Level 3 Disrupt SSH Brute Force Attacks Used to Deliver DDoS Bot

Cisco’s Talos research group and Level 3 Communications have joined forces in an effort to disrupt the activities of a malicious actor that has been using Secure Shell (SSH) brute force attacks to distribute a sophisticated Linux DDoS bot.

Cisco’s Talos research group and Level 3 Communications have joined forces in an effort to disrupt the activities of a malicious actor that has been using Secure Shell (SSH) brute force attacks to distribute a sophisticated Linux DDoS bot.

The activities of this group, dubbed “SSHPsychos,” were first documented by the MalwareMustDie research group last year. In February, FireEye also published a report on the threat actor’s operations.

The attackers use a list of more than 300,000 unique passwords in an effort to guess root passwords. Cisco noticed in the first quarter of 2015 that the number of SSH authentication attempts from the netblock used by the group was larger than the number of attempts from all other hosts combined. In fact, at times, the attackers’ activities accounted for more than a third of the total Internet SSH traffic, Cisco said.

Once the SSH login is successful, the malicious actor, which is believed to have Chinese roots, downloads the XOR.DDoS malware onto the victim’s system. Researchers previously noted that XOR.DDoS is different from other DDoS bots because it’s written in C/C++ and it uses a rootkit component for persistence.

The malware can launch DDoS attacks against a list of targets provided by the command and control (C&C) server, and it can also download and execute other files.

After seeing that the reports published by the IT security community have not discouraged the malicious actor, Cisco and Level 3 decided to take action and try to remove he threat from the Internet. First, experts learned everything they could on the malware, and assessed the scale of the campaign and its impact. Then, the companies removed the routing capabilities for the netblocks used by the cybercriminals and urged other network operators to do the same. By blackholing attack traffic inside its global network, Level 3 has limited the threat group’s ability to compromise systems and deliver malware.

This operation doesn’t completely disrupt the activities of the SSHPsychos group, but at least it slows them down, experts noted.

At one point, SSHPsychos moved their scanning operation from to, and changed multiple malware and C&C server IP addresses. It’s likely that they will make further changes in an effort to resurrect their DDoS capabilities.

“While these changes protect the portions of the Internet overseen by Level 3, we believe there is still more to be done. We ask that others join us to stop malicious traffic from spreading on the internet,” Cisco researchers wrote in a blog post. “We encourage ISPs and network administrators to join our efforts to curb this specific group, by removing the routes for these networks in a controlled and responsible manner. If we work together, we have the opportunity to eliminate a group that is making no effort to hide their malicious activity.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe


Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.


Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...