Botnet targeting Linux servers made up third of SSH traffic until blocked

Level 3 reveals scale of 'SSHPsychos' botnet taken down in April

Share

The aggressive SSHPsychos botnet that struck the Internet last summer at one point accounted for more than a third of all global SSH traffic until it was sinkholed, Level 3 Communications has detailed in its latest quarterly report.

The operation that drew the sting from SSHPsychos was carried out by Cisco and Level 3 on 7 April, and appears to have been highly successful. Up to that point SSHPsychos had, without being much noticed, launched a vast SSH brute force attack on Linux servers designed to spread a rootkit used for DDoS attacks.

The problem is that only certain companies actually see these attacks, usually service providers, who might or might not mention their sometimes massive size. SSHPsychos was stopped but not before it had at times managed to account for a stunning 35 percent of all global SSH traffic.

It’s a small but fascinating aside in a report that details the shifting sand in the evolution of botnets.

Level 3’s report offers a range of percentages regarding the volume of C2 traffic (command and control) emanating from and being sent to different countries, but they probably less insight – many of the countries near the tops of these lists are simply the ones with exploitable Internet infrastructure and the attackers could be living almost anywhere.

As if to prove that, Level 3 comments on the unusually high volume of C2 traffic being sent to Norway of all places, the result of a specific web incident. Much of that emanated from nearby countries and so other Nordics and The Netherlands also registered high on the C2 scale. The UK accounted for 12 percent, the firm said.

In terms of individual IP addresses, the top location for victims was China, followed predictably by the US, ahead of Norway, Spain and The Ukraine.

It is tempting to become blasé about botnets and the threat they pose. The phenomenon has been around for over a decade and as a major issue for more than half that time. What more harm can botnets possibly do that they’ve not already done?

An answer that while the uses botnets are put to has changed, they remains a vital part of the criminal economy used to distribute spam and malware and, increasingly, carry out DDoS attacks in the style of SSHPsychos. Botnets are akin to a digital superhighway for criminality and countering them, however long that might take, is essential.

One interesting development in the evolution of botnets spotted by Level 3 is the trend away from individual PCs and standalone servers towards using virtual machines hosted by Infrastructure as a Service (IaaS) cloud providers.

“It is our belief that the ratio of bad actors that have infected legitimate servers versus those who have created bots on rogue virtual machines is shifting in favour of VM deployment,” said Level 3’s researchers.

“The flexibility to quickly spin up and take down VM instances as well as easily scale a deployment makes IaaS cloud computing a perfect fit for the dark trade.”