• SSH worm exploited weak passwords, compromising Linux systems in seconds. • Attack used credential brute force, uploading a 4.7 KB bash script via SCP. • Script established persistence, killed competing malware, and set up a backdoor. • Command‑and‑control leveraged IRC, with cryptographically signed commands for authenticity. • Automated lateral movement employed Zmap and sshpass to spread across networks. • Attack traced to a compromised Raspberry Pi, highlighting IoT device risks.

Article Summaries:

  • Four Seconds to Botnet - Analyzing a Self Propagating SSH Worm with Cryptographically Signed C2 [Guest Diary] [This is a Guest Diary by Johnathan Husch, an ISC intern as part of the SANS.edu BACS program] Weak SSH passwords remain one of the most consistently exploited attack surfaces on the Internet. Even today, botnet operators continue to deploy credential stuffing malware that is capable of performing a full compromise of Linux systems in seconds. During this internship, my DShield sensor captured a complete attack sequence involving a self-spreading SSH worm that combines: - Credential br

Sources: