Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday December 14 2018, @03:48PM   Printer-friendly
from the no-honor-among-thieves dept.

https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/

ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In the white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the prevention, detection and remediation of such threats

[...] Something that wasn’t originally discussed in the Operation Windigo paper, but that ESET researchers have talked about at conferences, is how those attackers try to detect other OpenSSH backdoors prior to deploying their own (Ebury). They use a Perl script they have developed that contains more than 40 signatures for different backdoors.

https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0, Offtopic) by AssCork on Friday December 14 2018, @04:59PM

    by AssCork (6255) on Friday December 14 2018, @04:59PM (#774461) Journal

    Disappointed that ******2 isn't on the list (though 'hunter' made #70) - Reference [knowyourmeme.com]

    --
    Just popped-out of a tight spot. Came out mostly clean, too.
  • (Score: 2) by Runaway1956 on Friday December 14 2018, @07:16PM (5 children)

    by Runaway1956 (2926) Subscriber Badge on Friday December 14 2018, @07:16PM (#774520) Journal

    They point out that openssh has vulnerabilities, but make no recommendations regarding those vulnerabilities?

    If they even advised that you update to the latest and greatest version, I missed it. Is there an alternative, with fewer vulnerabilities? Maybe they could even have linked to some advice on configuring your openssh?

    https://www.howtoforge.com/tutorial/openssh-security-best-practices/ [howtoforge.com]

    https://support.asperasoft.com/hc/en-us/articles/221494788-Best-practices-for-SSH-configuration [asperasoft.com]

    https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html [cyberciti.biz]

    • (Score: 2, Informative) by Anonymous Coward on Friday December 14 2018, @08:16PM (2 children)

      by Anonymous Coward on Friday December 14 2018, @08:16PM (#774538)

      My understanding is that this paper is not about vulnerabilities in OpenSSH, it is about malwares that embed an OpenSSH server to give remote access to attackers. Did I get confused along the way?

      • (Score: 0) by Anonymous Coward on Friday December 14 2018, @09:06PM (1 child)

        by Anonymous Coward on Friday December 14 2018, @09:06PM (#774557)

        The way I read it, you have it right. The initial vector may be anything, but once inside, a modified ssh server gives attackers a backdoor.

        • (Score: 2) by digitalaudiorock on Friday December 14 2018, @09:40PM

          by digitalaudiorock (688) on Friday December 14 2018, @09:40PM (#774566) Journal

          What threw me about that is that the very fact that the malware got installed seems to imply that you've already been rooted right? The manner in which that happened seems to be the big concern to me.

    • (Score: 0) by Anonymous Coward on Friday December 14 2018, @10:56PM (1 child)

      by Anonymous Coward on Friday December 14 2018, @10:56PM (#774588)

      The paper suggests disabling password authentication, disabling root login, and using two-factor when possible. They are not sure what initial attack vectors are, but nearly all that they encountered spread through stealing credentials, and only a few stole private keys.

      • (Score: 2) by driverless on Saturday December 15 2018, @12:37AM

        by driverless (4770) on Saturday December 15 2018, @12:37AM (#774624)

        using two-factor when possible

        For this to work though you need to use actual, real second-factor auth, not twice as much one-factor auth labelled as two-factor auth. In particular publickey + password is something you know and something else you know, so just two lots of one-factor auth. Actual two-factor auth is a crypto token, OTP, or similar.

(1)