Linux Systems Targeted by New Malware, Goscanssh, Which Actively Avoids Government and Military Servers

Nintendo Switch Thrives on Linux

The malware has been working on Linux systems for nine months and is yet to be fixed. It actively avoids affecting government and military servers for a reason.

A new strain of malware has been seen on the internet. The new malware was created and written in Golang. The malware, called the GoScanSSH malware, targets any server that is based on Linux. The malware only affects the systems which are not in any way linked to the government or the military.

A group called the Cisco’s Talos Intelligence Group reported that there were various interesting behaviors from the malware. The new report done by the group showed that the GoScanSSH malware could generate a new malware binary for each of the new users they affected. The security researchers got to know about the malware initially after it affected the Ubiquiti Enterprise Gateway Router. After this, they discovered more than 70 different GoScanSSH variants. After their discoveries, they concluded that the threat was obviously being improved upon by the hackers.

Target devices

The malware works by using a lot of username/password combinations to attack some SSH servers. It brute forces its way into a weak or sometimes default credentials of the Linux operated devices. The malware tries to use the usernames so that it can authenticate the SSH servers. It uses the following, admin, guest, Oracle, osmc, pi, root, test, ubnt, Ubuntu, and user.

These combinations together with other credentials are then used to target some specific devices. The malware always targets the following devices and operating systems; Raspberry Pi, Open Embedded Linux Entertainment Center (OpenELEC), Open Source Media Center (OSMC), Ubiquiti networking products, jailbroken iPhones, PolyCom SIP phones, Huawei devices, and Asterisk systems.

When the malware affects a device, it determines on its own how the infected system is powerful. It then generates an identifier that is only unique to that infected system. It sends the results to a server hosted by C2, and which can be accessed via the Tor2Web proxy service. This is its own way of making tracking difficult for authorities. It also helps to resist any takedowns by other systems.

According to the researchers, the attack by the malware is probably in its ninth month. The attack started in June 2017  and has now managed to get 250 domains. The C2 domain, which has the biggest resolution requests, is now showing it has been seen at least 8,579 times.

The GoScanSSH malware tries everything to not affect military or government systems. The malware tries to scan for additional SSH servers which it believes it can infect. The scan is done by bringing out vulnerable servers, which can be done through the generation of IP addresses. This procedure helps it to avoid especially used addresses like those of the government. After connecting to an IP address through the TCP/22 protocol, the malware will check if the IP address is related to a domain. It then checks the list of domain names, so as to avoid those that might be owned by the government. If it sees a relationship, then it ultimately changes the IP address.

The security researchers managed to provided a list of domains that the malware is afraid of. Most of those domains included the mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, govt.uk, .police.uk, .gov.au, govt.nz, and .mil.nz.

If the malware does not see the system on the no-no list, it infects the system. It generates a binary for the compromised system, through which it infects the new host and the process repeats. The researchers said that they were going to continue with monitoring the malware, to better understand it.