A new and highly efficient self-propagating worm has been detected, capable of compromising Linux systems through SSH brute-force attacks in a mere four seconds. This threat leverages a combination of traditional credential stuffing and advanced cryptographic command verification, forming a rapidly spreading botnet that preys on devices with weak authentication.
How the Worm Exploits Vulnerabilities
The worm’s ability to exploit unchanged default passwords highlights ongoing vulnerabilities in systems, especially within Internet of Things (IoT) devices like Raspberry Pi. Once the worm gains access through weak credentials, a small bash script, only 4.7 kilobytes in size, is uploaded and executed. This script secures the system by establishing persistence, removing rival malware, and connecting the device to a command and control network via Internet Relay Chat (IRC).
Discovery and Propagation Patterns
Researchers at the Internet Storm Center identified this malicious activity through DShield honeypot sensors designed to detect SSH attacks. The worm was traced back to a compromised Raspberry Pi in Germany, which had fallen victim to the same attack chain. The botnet’s worm-like propagation enables it to rapidly infiltrate vulnerable systems, amplifying its reach across the internet.
The attack initiates when the malware authenticates using common default credentials, predominantly targeting Raspberry Pi devices. After accessing the system, the script modifies files and schedules tasks to maintain control, eliminating processes associated with competing threats such as botnets and cryptocurrency miners.
Advanced Security Features
Setting this worm apart is its use of cryptographically signed command verification. Embedded RSA public keys ensure that only validated commands from the command and control operator are executed, safeguarding compromised devices from unauthorized access. Once established, the malware connects to various IRC networks, waiting for further commands in a specific channel named “#biret.”
The worm escalates its spread by installing scanning tools like Zmap and sshpass, enabling scans of 100,000 random IP addresses. This aggressive approach underscores the importance of securing networks against such threats.
Prevention and Security Measures
Organizations can mitigate these risks by disabling password-based SSH authentication in favor of key-based methods. Further security can be achieved by removing default user accounts on devices like Raspberry Pi, deploying tools like fail2ban to protect against brute-force attacks, and isolating IoT devices from critical network infrastructure through segmentation.
Stay updated with the latest security news by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google to ensure instant updates.
