madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Linux under attack: Compromised SSH keys lead to rootkit

By | August 26, 2008, 2:13pm PDT

Summary: The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been [...]

Compromised SSH keys leads to rootkitThe U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed, US-CERT said in a note on its current activity site.

From the advisory:

  • Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Phalanx, which dates back to 2005, is a self-injecting kernel rootkit designed for the Linux 2.6 branch.  It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Details on the attacks — and targets — remain scarce but it’s a safe bet this is linked to the Debian random number generator flaw that surfaced earlier this year. A working exploit for that vulnerability is publicly available.

To mitigate the risk from this attack, US-CERT recommends:

  • Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
  • Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
  • Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, US-CERT recommends:

  • Disable key-based SSH authentication on the affected systems, where possible.
  • Perform an audit of all SSH keys on the affected systems.
  • Notify all key owners of the potential compromise of their keys.

* Image source: wili_hybrid’s Flickr photostream (Creative Commons 2.0)

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Linux, SSH, Attack, U.S. Computer Emergency Readiness Team, Rootkits, Security, Spyware, Adware & Malware, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 162 Talkback(s)

  • Linux under attack: Compromised SSH keys lead to rootkit
    LOL! And the hits to linux just keep coming! So thats 4 different incidents within a week's time of how badly linux sucks. Poor linus must be hiding under his bed trying to get away from all the bad news. LOL!! Sometimes I crack myself up.

    Do all these security flaws really surprise anyone? It shouldn't. Think about the linux development model. Anyone is free to take code and modify it and throw it out there without any peer review. Then some other linux developer take that code without looking at it and merges it with his own code, now you got a mish-mash of 2 crappy codes combined. And the cycle just continues. There is just no place for linux in this world. Its proven that it can't offer security, its not stable, very unreliable. More and more people are migrating away from it. Its like a slap in the face and a black eye. Ah to be linux-free feels really good happy
    ZDNet Gravatar
    Loverock Davidson
    26th Aug 2008
  • Security is a process
    The pubkeys were *stolen*
    Have some cookies and milk LD

    Carry on everyone.
    ZDNet Gravatar
    D T Schmitz
    26th Aug 2008
  • Yes it is
    now if only linux would adopt such a practice.
    ZDNet Gravatar
    Loverock Davidson
    26th Aug 2008
  • Then they'd be WELL ahead of MS...
    ...oops...they already are.
    ZDNet Gravatar
    storm14k
    26th Aug 2008
  • And what does MS have to do with this?
    Nothing. Based on your comments you believe that linux is so bad that you need to bring other operating systems into conversation to deflect the real issue of how bad linux really is.
    ZDNet Gravatar
    Loverock Davidson
    26th Aug 2008
  • What better way to deflect...
    ...than to talk about an OS that is even worse. MS fits the bill with Windows so I talked about it.
    ZDNet Gravatar
    storm14k
    26th Aug 2008
  • When you start talking about an OS that's worse then...
    ...you'll have a point. Windows is no worse than Linux. Especially with the release of Vista.
    ZDNet Gravatar
    ye
    27th Aug 2008
  • Deflection!
    Well when it comes to an OS vendor that really drags its feet when it comes to security, there is definitely no better foot dragger than Microsoft!

    Besides who would want to use an OS where there are intentional security holes left for the OS vendor to have unlogged and unrestricted access to your data and machine?

    Makes you think, does it not.
    ZDNet Gravatar
    schlandower
    27th Aug 2008
  • @schlandower - Where Do Get Your Tin Hats?
    And I suppose the FBI has a spy under your bed, and your neighbor's dog is a CIA agent.

    If any OS family has back doors, it's likely to be an Open Source OS, since no one with pockets (much less deep pockets!) can be sued for the breach, and the morass of spaghetti code is available to all comers.
    ZDNet Gravatar
    PMC-CON
    27th Aug 2008
  • Bad compared to what? Using what metrics?
    My primary concern is stability, if you avoid Debian and the bog standard Red Hat (and you should) you have an operating system that is as stable as the best in the market today with very little variance. How is that bad?
    ZDNet Gravatar
    terjeb@...
    27th Aug 2008
  • Missing the point...
    The usual Loverock sarcasm is entertaining, but these forums are for issue discussion as well. Keep your eyes on the ball, people.

    Linux is secure enough for me, in my opinion. Fixes are provided in a quick manner. I don't have to wait for a special Tuesday (Microsoft) or until the moon turns to blue cheese (Apple) before security issues are addresssed.

    Linux will become a larger target as it steals market share from MS. I am not shocked about more frequent attacks, on the contrary, it suggests Linux is appealing to more people.
    ZDNet Gravatar
    Information_z
    31st Aug 2008
  • RE:Then they'd be WELL ahead of MS...
    Only because they are WELL behind in popularity. As the influx ot Linux newbies becomes greater, so will the threats they have to face. Never forget that part.
    ZDNet Gravatar
    jetsethi
    27th Aug 2008
  • Bzzzt! Wrong!
    Linux is significantly more stable than is any version of Windows ever created. That is a very important reason for the popularity of Linux. Given that Linux probably never will become a desktop operating system the way Windows is, it doesn't matter how many "newbies" start using it for fun. It isn't going to be compromised by "newbies", they won't be able to.
    ZDNet Gravatar
    terjeb@...
    27th Aug 2008
  • Do you have to be rude about it?
    It is soon obvious that even getting more software on the sytem involves things like tarballs and rolling your own.

    Didn't run my new dvd either. It said it had the right codex but... somebody must have made an improvement because the disk ran great on Vista and a DVD player.

    As long as that is true most people will run not walk the other way.

    I like linux a lot but tarballs and such is another world.
    ZDNet Gravatar
    deowll
    27th Aug 2008
  • Don't underestimate what users can do
    DOS was not very user friendly for the average user, but they could find ways of screwing that up to. Yes, users can crash Linux. I've crashed Linux desktop before and I wasn't even doing anything extreme on the system (I just started a piece of 3D software that KDE didn't like). Linux is stable, but it's not crash-proof. I even had a faulty floppy drive send the kernel into a kernel panic. Some bit somewhere freaked out and caused a chain reaction to crash the kernel. Discovered it was the floppy drive that had gone bad and removed it and the kernel booted fine.
    ZDNet Gravatar
    alaniane@...
    28th Aug 2008
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here