Botnets participating in the “slow brute force” have become smarter

Around the beginning of November, security experts noticed the unusual behavior of botnets. They began a coordinated work on the slow search of usernames and passwords for a variety of hosts. Specialists call this “slow brute force”, because the speed of password guessing is extremely low (you need to sort through all password combinations for all possible logins in the dictionary) - this process will take several years. But due to the huge number of machines participating in the “attack”, the business is nevertheless gradually advancing - every day the attackers get some kind of “catch”. Requests come from different IPs (see logs ). The attack is clearly coordinated from a common center (bots have a common dictionary for enumerating options).

To date, botnets have gone over more than half of the dictionary and reached the letter “o”. How this will end and who is behind the strange activity is not yet entirely clear. It is also unclear why attackers do not touch machines running OpenBSD.

Only one thing is clear: recently, the activity of botnets has undergone changes . The number of password attempts for each login has decreased from 10-15 to 1-4. Experts believe that the redistribution of resources in the botnet may be the reason for this. Bots dynamically switch from more complex targets to simpler ones and redistribute resources.

A search on the Internet for information about slow brute force shows that the first signs were noticed back in May 2008. You can analyze an unknown enemy only if you combine the logs from different services on which the activity of these bots is present.