[nsp-sec] [OT?] REQUESTING INFO Re: coordinated slow ssh crack attempts II

[Jose Nazario]

stepping back up a bit on this thread, SSH scanning in general ..

i think i see a small handful of tools recycled and used by a few groups. 
mostly the same MO, maybe some differences in the password list and such.

how many groups are we seeing do this? a few? i tied a few back to 
romania, not sure if it's the same team or one team blatantly ripping off 
another.

aside from playing whack a mole, what can we do to shut these puppies 
down?

is anyone looking at blocking access to the HTTP/FTP server for the crack 
kit that gets loaded on a popped box? this isn't a worm, it's classic late 
90's: bruting -> login -> download from a central site and execute the 
loop again.

-- 
-------------------------------------------------------------
jose nazario, ph.d.     <jose at arbor.net>
security researcher, office of the CTO,  arbor networks
v: (734) 821 1427 	      http://asert.arbornetworks.com/