FY( - Malware attacking Linux with weak passwords


Detected in the wild, does not attack vulnerabilities, initial compromise is only by trying weak root passwords against thousands of Linux (and IoT) machines, hoping to log into any.

Once successful, it will attempt to spread not only by joining the botnet to try the next password, it will also locate any local keys used for authentication and attempt to login to those remote machines. In other words, if you SSH into every machine in your network and you’re compromised, then every other machine in your network you SSH into would also be immediately compromised.

Although considered “simple” and “lacking in features,” a compromised machine will both attempt to infect other machines and can perform DDOS attacks as part of the botnet.

This does not target MSWindows machines today… yet.

Recommended Mitigation:
Don’t use weak passwords.
Don’t know what a weak password is?
Do an Internet search on the “Top 60 most commonly used passwords” for starters.
To mitigate against brute force attacks, a stronger password will depend on both variety (upper, lower, numeric, special characters), and length (8 characters minimally but still bad. At least 15 characters much better).Be aware though that what humans consider an unusual character wouldn’t be anything unusual to a computer doing a brute force attack, so I generally discourage use of special keystroke combinations which are difficult to type… You’ll just discourage yourself from using something difficult to do while hardly affecting a computer which wouldn’t consider a difficult keystroke anything different than something simpler.


Glad I have

  1. Passwords > 16 characters
  2. No root access over ssh on servers that I have access to
  3. openSUSE uses a root user, I recently saw a *buntu user having ‘qwerty1234’ as a password, and it gave me root access. ( which he did not like at all ).
  4. Always known that linux can be safe and secure, but never invulnerable.

I’m also a little bit suspicious of UNIX® and Linux systems which, have “locked” the user “root”.

  • “sudo” is fine but, it’s only as strong as the access to the administrator accounts – which are, presumably, the only accounts with “sudo” privileges.
  • AFAICS, it’s usually sufficient to ensure that, the user “root” can only login at the console terminal – which itself, can be made physically difficult to access – for example, a locked cage in a very secure computer room and, only a limited number of staff have access to those keys …
  • Was Sun’s approach where, they stored the root password in an EEPROM on the machine’s Mainboard a step in the wrong direction? – I’m undecided …