SSH Keys Harvested To Launch Linux Attacks

Security Professionals at SANS are warning users about a new surge of Linux attacks that are employing SSH (Stolen Secure Shell) keys. According to them, the attack is associated with a malicious rootkit called Phalanx2.

Security professionals point out that the SSH protocol is employed as an arrangement to conduct secured communications among networked systems. The arrangement was initially used as a substitute for the Telnet protocol that is not so secured.

However, explaining the rootkit attack, a security advisory from US-CERT (US Computer Emergency Response Team) stated that the malicious rootkit has been derived from an older malware sample, and it stores itself on a directory named "/etc/khubd.p2/" that can be accessed only through the "cd" command.

Further, while providing the details on the rootkit installation, SANS Researchers stated that as soon as it is loaded on a victim's computer, the rootkit searches for weak SSH keys; and subsequently, attempts to utilize the data for carrying out more attacks on other connected computers.

However, security researchers and analysts said that the attacks make no attempt to capture or employ the stolen SSH keys that can work with passwords, leaving the administrators to find a proper method for defending their systems.

According to John Bambenek, Researcher, SANS, the greatest defense can be with keys that require a phrase such as a series of words, alternatively other text that would control the way a computer is accessed along with applications and data on the system. The keys referred to pertain to those that might be used to validate to the distant systems and certainly those facing the Internet , as reported by vnunet on August 28, 2008.

Further, as a precautionary action to safeguard a user's own security, Bambenek advises users to examine their logs, particularly if they employ SSH key-based authentication, to detect unauthorized accesses from distant machines.

It is further recommended that computer users properly patch their computers to address any security flaw that could allow hijackers to obtain the SSH keys much easily, leaving the systems over-shadowed with malicious programs.

Related article: SEC Imposes Trading Ban on 35 Companies

» SPAMfighter News - 05-09-2008

All SPAMfighter products offer a free trial!

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

Optimize your Slow PC for better performance. Try FREE scan now

Disk space recovery
and disk optimization. Try FULL-DISKfighter free

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software for your Windows PC - Free 30 days trial