the SSH worm thing

Florin Andrei florin at andrei.myip.org
Wed May 11 18:45:28 UTC 2005


On Wed, 2005-05-11 at 19:47 +0200, Tomas Mraz wrote:
> On Wed, 2005-05-11 at 13:34 -0400, Alan Cox wrote:
> > On Wed, May 11, 2005 at 10:04:12AM -0700, Florin Andrei wrote:
> > > http://www.schneier.com/blog/archives/2005/05/the_potential_f.html

> > I'm not convinced it helps very much. I'll just read every .history file on
> > your machine and hash the hostnames I find in that against the database.

Right, but the entries in the .history files are typically short-lived,
while the ones in known_hosts are, more or less, forever.

I just verified my .bash_history file and it has 10 different
addresses/hostnames that i ssh'ed to. known_hosts has 40. That's approx.
halfway through to the next order of magnitude. And i'm using ssh quite
a lot.

Slowing down the attack vector by (almost) an order of magnitude is no
small feat - i bet you it translates into many orders of magnitude in
the difference between the population exhaustion times. Agree, it
depends on a multitude of factors, but it could be the difference
between a malware that takes the Internet by storm, and a moderate
infection that can be contained.

> > There are just far too many other ways to identify an ssh host entry/key and
> > to then use that the same way the analysed user has.

True, but there's no universal cure for anything. You gotta take a first
step somewhere.
This first step is practically gratis.

> Also if the attacker could read the known_hosts file he could also
> change the user's environment so it instead of ssh calls a malicious
> script/binary which would log user's credentials and only then called
> the real ssh binary.

Correct, but the hash-armoured known_hosts file has the purpose to stop
a potential SSH worm from spreading like wildfire: infect a machine,
then in a few seconds infect a dozen more, repeat. It's the same
exponential growth mechanism that made so dangerous some Outlook malware
that were able to read the address book.
The mechanism you describe is entirely different, it's an altogether
different attack.

-- 
Florin Andrei

http://florin.myip.org/




More information about the fedora-devel-list mailing list