
New P2P botnet infects SSH servers all over the world - elorant
https://arstechnica.com/information-technology/2020/08/new-p2p-botnet-infects-ssh-servers-all-over-the-world/
======
peter_d_sherman
This looks like a clue as to what some, but probably not all, botnets consist
of...

The idea of using SSH servers (from the perspective of whichever group or
individual(s) wrote the given botnet that uses them) makes a lot of sense (in
an evil way), because there's a lot of SSH servers out there on the Internet.

To dig a little bit deeper (if I were an investigator), I'd investigate all of
the historical security issues that SSH has had, in its history...

Were some of those intentionally engineered?

?

If so, then whichever groups or individual(s) were involved -- might be -- or
might lead a security researcher a step closer to the actual authors of the
botnet...

Also... one needs to ask "who would need the botnet, and why?"

While I'm on the topic, I think it would be a great idea to research the
historical security issues that not just SSH, but every piece of server
software (Apache, etc.), _in order of the software 's popularity_.

In other words, the more popular a piece of server software is -- the more
likely it is a target for intentional botnet "security modifications" (that
is, intentional weakening of the server software's security to support future
botnet activity...)

Also (and especially) if those server software packages use common shared
libraries of code in their codebases, then those common shared libraries are
prime targets...

So, here's what I would do for sleuthing this:

1) List/enumerate all known pieces of software that act as servers on the
Internet.

2) Order the list created in #1 by popularity.

3) Look for all libraries/code bases -- shared across those.

4) Look at the historical security issues of those codebases.

and, for skilled investigators:

5) Audit these codebases for changes/commits that look similar to other
historical changes in other codebases where security was compromised.

Anytime someone sees weird or not-understandable code in a shared codebase --
it should be flagged for peer review. The more eyes, the better.

