In just four seconds, a highly advanced self-spreading worm can use SSH brute-force attacks to fully compromise Linux systems. This new threat creates a rapidly spreading botnet that targets devices with weak authentication mechanisms by fusing modern cryptographic command verification with traditional credential stuffing techniques. The attack shows how vulnerable systems can still be when default passwords are left unaltered, especially on Raspberry Pi computers and other Internet of Things devices.

Within seconds of first contact, the malware completes its full attack lifecycle, demonstrating its exceptional efficiency. A small, 4.7-kilobyte bash script is uploaded and launched instantly after an attacker obtains access using weak credentials.

Using Internet Relay Chat networks, this script links the compromised device to command and control infrastructure, creates multiple layers of persistence, and terminates competing malware processes. Researchers from the Internet Storm Center discovered this threat by examining traffic recorded by DShield honeypot sensors, which are designed to identify SSH-based attacks. According to the investigation, the malware started on a compromised Raspberry Pi device in Germany that had been hit by the same attack chain.

The observed attack's network diagram (source: Internet Storm Center) The botnet can spread rapidly throughout susceptible internet-connected systems thanks to its worm-like propagation pattern. When the malware successfully authenticates using standard default credentials, the attack starts. It specifically targets Raspberry Pi devices with usernames like "pi" and passwords like "raspberry" or "raspberryraspberry993311."

The script immediately establishes persistence mechanisms through scheduled tasks and altered system files after gaining access. In order to guarantee exclusive control over system resources, it then terminates processes connected to rival botnets and cryptocurrency miners. Advanced Verification of Commands Using Cryptographic Signatures This threat's use of cryptographically signed command verification sets it apart from other SSH worms.

A built-in RSA public key in the malware verifies all commands from the command and control operator before they are executed. This security feature stops unauthorized users from taking control of compromised botnet devices. The compromised device joins several IRC networks in various geographical locations after establishing persistence. The bot joins a channel called “#biret” and waits for more instructions.

The malware installs scanning tools like Zmap and sshpass on every compromised system in order to spread, which allows the worm to quickly scan ports across 100,000 randomly selected IP addresses. By turning off password-based SSH authentication and switching to key-based authentication, organizations can better protect themselves. Other defenses include network segmentation to separate IoT devices from critical infrastructure, fail2ban for brute-force protection, and deleting default user accounts on Raspberry Pi devices.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.