'Limpninja' Trojan horse emerges

Security watchers are speculating that hackers familiar with the ways of the ninja may be attempting to construct a distributed denial of service (DDos) network on compromised Secure Shell Hosts (SSHs).

Threads on security newsgroups have suggested that hackers may be breaking into Linux boxes running the SSH1 protocol, using a known vulnerability in the SSH CRC32 (cyclic redundancy checksum) that was published late last month.

Writing on the BugTraq security mailing list yesterday William Salusky, of security firm DMZS, said: "It appears that someone may be building up a network of [potential] DDos hosts."

He explained that he had discovered a compromised Red Hat box that was being used as a central host for other 'zombie' machines, although it is not yet clear how the central server communicates with the zombies.

Apparently the attacker manually installed an IRC server, which was communicating with more than 120 other host machines.

The communication channel was called 'kujikiri', a method of esoteric teaching used by the ninja, and the channel key was tagged 'ninehandscutting', an ancient ninjitsu hand movement.

Apparently all hosts communicating with the central server were logging on using identification names prefixed with 'ninja'.

According to experts, the Trojan program installed in the attack does not match any signatures identified so far and, if it is new, Salusky has already christened it 'Limpninja'.

Also last week attackers operating from network blocks in The Netherlands used the same exploit to break into another Red Hat box on the University of Washington network. Once inside the server the attackers installed Trojan horses and the machine was set up to scan for other vulnerable hosts.

According to Dave Dittrich, of the computing and communications department of the University, 25,386 unique hosts were scanned over a number of days and 1,244 vulnerable hosts were identified, although only four were thought to be compromised.

As of yet there is no evidence to tie the University hack to previous 'ninja' attacks although the incident suggests that there are still a number of vulnerable machines out there.

A Computer Emergency Response Team warning about the SSH1 vulnerability, which allows a remote attacker to execute arbitrary code with the privileges of the SSH daemon (typically root), can be found here.