A newly discovered family of malware is being used to compromise Linux servers exposed to the internet. The good news for IT pros is that it doesn't appear to be targeting traditional commercial servers but is going after consumer devices.
The malware, dubbed GoScanSSH, was discovered by researchers at Cisco Talos; they wrote about it in a blog on Monday.
This one's a bit of a head scratcher for several reasons.The malware goes out of its way to avoid infecting devices connected to government networks. And it calls home to its Tor hidden service-based command and control (C2) infrastructure using Tor2web, which allows access to Tor hidden services without use of a Tor client.
GoScanSSH is also worrisome. There are indications that the number of successful GoScanSSH infections has been on a steep rise since the middle of March. And apparently, researchers have yet to discover the ultimate goal of the hackers. So far GoScanSSH appears to be something of a sleeper and doesn't do anything other than try to replicate itself. We might expect the other shoe to drop somewhere down the line.
The folks at Cisco Talos report that the malware targets weak or default credentials across a range of Linux devices on x86, x86_64, ARM and MIPS64 architectures. It gets inside with a brute force attack that utilizes a word list of 7,000 user/password combinations, with usernames being of the "admin, guest, oracle, root, test, user" variety. After it's in, a unique GoScanSSH binary is created and uploaded to the compromised SSH server and then executed to infect the system.
"Immediately following infection, the GoScanSSH malware attempts to determine how powerful the infected system is," Cisco Talos said. "This is accomplished by determining how many hash computations can be performed within a fixed time interval. The result of this process is then transmitted to the C2 server, along with basic survey information about the victim machine when the malware sends a 'checking_in' message to the C2 server. This message is encrypted prior to being sent to the C2 server."
The malware then goes about the business of attempting to replicate itself by scanning and identifying additional vulnerable internet-exposed SSH servers that can be compromised.
Now this is where it gets interesting: The malware randomly generates an IP address, avoiding special-use addresses, then compares them to blocks of addresses to be ignored, mostly network ranges belonging to government and military organizations, and "specifically avoiding ranges assigned to the U.S. Department of Defense."
According to the report, this isn't the end of the malware's attempt to avoid infecting government property.
"The malware then attempts to establish a TCP connection to the selected IP address on TCP/22. If the connection is successfully established, the malware will then perform a reverse DNS lookup to determine if the IP address resolves to any domain names. If the reverse DNS lookup returns a domain, it is compared against a list of domains related to various government and military entities. If the domain matches any of the entries on the list, the connection is terminated, the IP is discarded and a new one is generated."
In addition to the U.S., the domain names indicate that the malware is attempting to avoid infecting government networks in the UK, Australia, New Zealand, Israel, South Africa and Spain.
Curiouser and curiouser, eh?
If the malware is satisfied that it has not reached a forbidden IP, it then starts a new infection attempt, with a brute force SSH attempt using its list of 7,000 usernames and passwords.
Again, the objectives of the malware, other than to continually replicate itself, are unclear. A good guess might be that a bot is being amassed for DDOS purposes. Nor is it known why the malware is interested in the power of its host machine. Some have suggested it might have something to do with mining cryptocurrencies, which takes a good deal of computational power, but relatively low-powered machines like jailbroken phones and Raspberry Pi systems are included in the mix of devices being targeted, undermining the cryptocurrency theory.
Most perplexing is the malware's avoidance of government IP addresses. Perhaps it's just a way for the people behind GoScanSSH to remain stealthy. Or perhaps it's something that gives conspiracy theories plenty to ponder. Who knows when we'll find out?