CERT Polska warns on malware-based DDoS infections

Polish agency warns about corporate servers being targeted

Poland's CERT – Computer Emergency Response Team – is warning that hackers are illicitly installing malware on user's Windows and Linux corporate machines, and which covertly launches a DDoS (distributed denial-of-service) attacks on multiple systems.

CERT Polska says that it spotted the Windows malware at the start of the month, and has since seen a Linux version which launches dictionary attacks against the SSH (Secure Shell) service.

This interesting variant targets remote SSH-accessible systems with weaker passwords than normal – the Polish researchers say that the powerful malware runs in daemon mode under control of a command-and-control (C&C) server.

Whilst the darkware code appears to use well-worn attack techniques, such as DNS Amplification and SYN flooding, the key issue is that the malware relays a variety of data back to the C&C server about the tasks running, the host's CPU speed, system load and underlying IP connection speed.

Mike McLaughlin, a senior pen tester and technical team leader with First Base Technologies, told SCMagazineUK.com that this suggests that the hackers are targeting high bandwidth company systems/servers - and launching a high-powered dictionary attack against remotely accessible SSH-based systems.

“That means they are likely to have specific targets in mind,” he said, adding that corporate system users should be switching to a longer passphrase authentication system from shorter passwords.

“We always recommend the use of a sentence-based approach, which means the passphrase is both simple to remember, known only to the user, and, of course, impossible to crack using a brute-force dictionary-based attack process,” he explained.

Sentence-based passphrases are far more secure, he went on to say, and most networking systems – including those from Cisco – now support spaces between words in sentences.

Where spaces are not supported, he says, users can insert underscore characters to allow them to use sentences based passphrases.

This issue was echoed by Andrew Mason, co-founder and Technical Director of open source security specialist RandomStorm, who said that, for starters, good security design would always enforce a secure password that could not be guessed with a standard dictionary-based password attack.

“Also SSH should always be restricted either on the server itself or through a firewall, to allow access from only source IP addresses that require access. SSH should never be open to the general public, as it provides a means of gaining access directly to the server,” he explained.

Mason told SCMagazineUK.com that the DDoS malware attack vector is elegantly simple and is an automated version of what has been used manually by hackers for years.

“From our own research, we see thousands of SSH requests on a daily basis and any server with SSH open to the public is then subject to a barrage of dictionary based attacks for commonly used user names,” he said.

Bob Tarzey, an analyst and director with Quocirca business and research analysis house, warned that his client conversations suggest that DDoS is going to continue to be a big problem during 2014.

“This analysis from CERT Polska shows how sophisticated some of the malware behind DDoS is getting. Larger organisations need to consider direct protection for their networks, smaller organisations need to ensure they select service providers that can do this for them,” he said.

“Another reason is to understand why one might be targeted by DDoS. A direct attack could be followed by attempts at extortion and there have been cases of competitive take out reported,” he added.

“It could also be a campaign against a given organisation undertaken by hacktivists. However, perhaps the most insidious threat from DDoS is distraction, the attack is masking another more targeted attack that is the real threat to a given victim organisation,” he concluded.

Sign up to our newsletters