Slow brute force botnets have become smarter

Around early November, security experts noticed the unusual behavior of botnets. They began coordinated work on the slow search of logins and passwords to a variety of hosts. Experts call this “slow brute force”, because the speed of password searching is extremely low (you need to go through all the password combinations for all possible logins in the dictionary) - this process will take several years. But due to the huge number of machines involved in the "attack", the matter is still gradually moving forward - every day the attackers get some kind of "catch". Requests come from different IP (see logs ). The attack is clearly coordinated from a common center (bots have a common vocabulary for sorting through options).

To date, the botnets have sifted through more than half of the dictionary and reached the letter “o”. How it will end and who is behind the strange activity - is not entirely clear. It is also unclear why attackers don’t touch OpenBSD machines.

One thing is clear: the activity of botnets has recently undergone changes . The number of attempts to find a password for each login has decreased from 10-15 to 1-4. Experts believe that the reason for this may be the redistribution of resources in the botnet. Bots dynamically switch from more complex targets to simpler ones and redistribute resources.

A search on the Internet for information about slow bruteforce shows that the first signs were noticed as early as May 2008 . You can analyze an unknown adversary only if you combine logs from different services on which these bots are active.