Stolen SSH keys used for attacks

Security experts are warning of a new series of Linux attacks that use stolen Secure Shell (SSH) keys.

The SSH protocol is used as a system for securely communicating between networked machines. The system was first designed as a replacement for the less-secure Telnet protocol.

The attack is part of a malware rootkit known as Phalanx2. According to an advisory from the US Computer Emergency Response Team (US-CERT,) the rootkit is a derivation of an older piece of malware and stores itself in a directory known as " /etc/khubd.p2/" which can only be accessed through the "cd" command.

Once installed, the malware scours a user's computer for vulnerable SSH keys and then attempts to use the data to carry out attacks on any connected systems.

Researchers note that the attack does not attempt to steal or use stolen keys that require passwords, leaving administrators with a good method for protecting their systems.

"The biggest defence is to have any keys, especially those used to authenticate to remote machines and certainly internet facing ones, require a passphrase to use," advised Sans researcher John Bambenek.

"Check your logs, especially if you use SSH key-based auth, to identify accesses from remote machines that have no business accessing you."

Bambenek also recommends that users fully patch their systems to cover any vulnerabilities which could make the SSH keys easier to obtain.

See also:

Homer Simpson spreading malware

Web 2.d'oh!  12 Jul 2008

Hackers look to 'hardware viruses'

Malicious circuits much more difficult to detect  01 May 2008

Rise of the rootkits

Stealth malware dodges popular security products  13 Dec 2007

Storm worm back with a vengeance

Quarter of all detected threats during August, says BitDefender  10 Sep 2007

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!