Monday, November 15, 2010

Malware Authors: Show Me Your Passwords!

I'm baffled. And that doesn't happen too often. In February I wrote a blog post over at Elcomsofts official blog, entitled "Why you should crack your passwords". I'm long overdue for a follow-up on that post, with another angle at the same statement. Do you remember Conficker (also known as Downadup)? I guess you do. And that's the primary reason for this blog post, and me being baffled.

At work one of my regular tasks is to coordinate joint efforts on security patch management. We've got quite a few systems to keep updated, but that would be a different story to tell. I remember the MS08-067 patch, and how we deployed it faster than anything else we had ever deployed earlier. (To those of my colleagues reading this: I'm proud of your efforts!).

As soon as Conficker went into action across the Internet, security professionals started analyzing it. The "B" version of Conficker, first discovered December 29, 2008, used a simple dictionary to conduct bruteforce authentication attempts against the default ADMIN$ share on Windows systems. This was done in order to increase the probability of successful infections and higher speed of distribution.

A nice summary of how Conficker did this can be found in the article "Downadup: Locking Itself Out" by Eric Chien at Symantec, while a more extensive list of passwords used by Conficker can be found at F-Secure's virus description of W32/Downadup.

Back to me being baffled. 

I've been playing, working, researching - dreaming - about passwords for more than 9 years now. One of the things that I requested as soon as I heard Conficker/Downadup did dictionary attacks, was a complete list of all the passwords it had in its wordlist. I think I laughed for quite some time when I saw it: it was BAD. As in not good, if your purpose is to get access to accounts and shares with a low number of guesses before locking out accounts (which happened all over where Conficker gained initial entry).

So of course I did another round of password audits in order to be sure NONE of these passwords would succeed for Conficker. And I were correct, none of those passwords would give access to anything that I were responsible for at that time.

The original reason for doing this blog post was to do a follow-up from the previous blog post by me at the Elcomsoft blog. Not only should you crack your passwords in order to check compliance between your written password policy and its various technical implementations across platforms. You should also do it to measure compliance between real-life passwords and the technical and written policy as well.

This blog post were supposed to talk about the passwords found in various malware like Conficker, their authors who obviously (to me) didn't know much about statistically popular passwords or policy implementations. This blog post were supposed to give you more background info that you could use when doing your own password audits, in order to protect yourself from such automated malware attacks.

Instead, I end up with what really baffles me:
I've asked Norman, Sophos and F-Secure if they have ever compiled any lists of passwords being used by various types of malware for password guessing. NONE of them have done something like that, all I've got are links to old blog posts on Conficker. I've even googled for it several times, but no luck so far.

So in case none of my readers have made such a list, all I can say is:
Malware Authors: Show Me Your Passwords!
Oh, and if anyone of you decide to attend Passwords^10, please notify me upon arrival. :-)


  1. Below is the best study I've seen on ssh password brute-forcing. It's about 2 years old, but still a great read:

    But I agree with you. I haven't seen many lists of commonly used passwords in malware, (besides conficker). That information would be really useful for developing blacklists.

    If I had to make a prediction, I'd bet that future malware/attacks are probably going to use the top passwords from RockYou list as the basis for their dictionaries. It's not the best for targeting corporate accounts, but the RockYou list is large, public, and well known.

    Of course the other option would be as criminal groups grow more organized, for to people exploiting systems to feed info back on stolen passwords to the tool developers. That's a much scarier outcome, though who knows, it may be happening now.

  2. Oh, and I nearly forgot this list collected over the course of one month in 2009 recording the username/passwords used in SSH password guessing attacks:

  3. Your post inspired me to do some more digging around so here's a more recent list of passwords used against SSH servers that I found:

  4. I'm happy to inspire you Matt! :-)

    Good findings, I think that bruteforce attacks against SSH is something we easily compile lists of, got quite a few SSH servers and friends where i can collect such info. I'll try to convince a few friends to analyze their logs and send the results to me.



All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.