The Potential for an SSH Worm

The Potential for an SSH Worm.

or secure shell, is the standard protocol for remotely accessing UNIX
systems. It's used everywhere: universities, laboratories, and
corporations (particularly in data-intensive back office services).
Thanks to SSH, administrators can stack hundreds of computers close
together into air-conditioned rooms and administer them from the
comfort of their desks.

When a user's SSH client first establishes a connection to a remote
server, it stores the name of the server and its public key in a
known_hosts database. This database of names and keys allows the client
to more easily identify the server in the future.

There are risks to this database, though. If an attacker compromises
the user's account, the database can be used as a hit-list of follow-on
targets. And if the attacker knows the username, password, and key
credentials of the user, these follow-on targets are likely to accept
them as well.

A new paper
from MIT explores the potential for a worm to use this infection
mechanism to propagate across the Internet. Already attackers are
exploiting this database after cracking passwords. The paper also warns
that a worm that spreads via SSH is likely to evade detection by the
bulk of techniques currently coming out of the worm detection community.

While a worm of this type has not been seen since the first Internet
worm of 1988, attacks have been growing in sophistication and most of
the tools required are already in use by attackers. It's only a matter
of time before someone writes a worm like this.

One of the countermeasures proposed in the paper is to store hashes
of host names in the database, rather than the names themselves. This
is similar to the way hashes of passwords are stored in password
databases, so that security need not rely entirely on the secrecy of
the database.

The authors of the paper have worked with the open source community,
and version 4.0 of OpenSSH has the option of hashing the known-hosts
database. There is also a patch for OpenSSH 3.9 that does the same

The authors are also looking for more data to judge the extent of
the problem. Details about the research, the patch, data collection,
and whatever else thay have going on can be found here.  [Schneier on Security]

Leave a comment