Posted in

DShield Captures Self-Propagating SSH Worm Exploiting Default Credentials

by Rakesh0

A new SSH worm combining credential stuffing with cryptographically verified commands has been captured by DShield sensors, highlighting the continued vulnerability of devices with weak authentication.

This fast-moving botnet specifically targets Internet of Things (IoT) devices, including Raspberry Pi computers, using default usernames and passwords. Once compromised, it executes a compact 4.7 KB bash script that establishes persistence, eliminates competing malware, and connects devices to a command-and-control (C2) network via IRC.

In this article, we’ll explore:

  • How the worm propagates and compromises devices
  • Technical analysis of its multi-stage malware
  • Impact on IoT and enterprise networks
  • Practical mitigation strategies

How the SSH Worm Operates

Initial Compromise

The attack begins with credential stuffing, exploiting default usernames and passwords. For example:

  • Username: pi
  • Passwords: raspberry, raspberryraspberry993311

Once authenticated, the malware uploads a 4.7 KB bash script to the target device, which executes immediately.

Multi-Stage Malware Execution

The worm performs several operations in rapid succession:

  1. Persistence Mechanisms
    • Modifies system files and schedules tasks to survive reboots
  2. Competing Malware Removal
    • Kills processes associated with other botnets and cryptocurrency miners
  3. Connection to C2 Infrastructure
    • Connects to multiple IRC networks, awaiting commands in the channel #biret
  4. Rapid Propagation
    • Installs scanning tools like Zmap and sshpass
    • Scans 100,000 random IP addresses to locate other vulnerable devices

Cryptographic Command Verification

A distinguishing feature of this worm is its RSA-based command verification:

  • Each command from the C2 server is signed with a cryptographic key
  • Only instructions validated by the embedded RSA public key are executed
  • Prevents unauthorized hijacking of compromised devices

This security measure makes the worm more resilient against interference from other attackers.

Propagation Insights

  • The worm was initially traced to a compromised Raspberry Pi in Germany, itself a victim of the same attack chain
  • Its worm-like behavior allows exponential spread across the internet
  • Targeted primarily IoT devices with weak authentication, but can affect any system exposed via SSH

Mitigation Strategies

Organizations and individuals can protect themselves with the following measures:

  1. Disable Password-Based SSH Authentication
    • Use key-based authentication instead
  2. Remove Default User Accounts on IoT Devices
    • For example, delete the pi user on Raspberry Pi devices
  3. Deploy Brute-Force Protection
    • Tools like fail2ban can block repeated login attempts
  4. Network Segmentation
    • Isolate IoT devices from critical infrastructure
  5. Regular Monitoring
    • Monitor outbound connections to detect unusual IRC or C2 traffic

Why This Matters

This attack demonstrates how legacy vulnerabilities like default credentials continue to compromise modern devices. Its cryptographic command verification and multi-stage malware make it more sophisticated than typical SSH worms.

Key takeaways:

  • Default passwords remain a significant security risk
  • IoT devices can be leveraged to form botnets if not properly secured
  • Multi-stage malware and cryptographically verified commands complicate mitigation
  • Proactive defenses and monitoring are essential for both enterprise and home networks
Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *