The Hail Mary Cloud: slow but steady brute-force password-guessing botnet

Hail MaryDid you hear about the recent exploit of jailbroken jesusPhones? Yeah, the Rick-rolling one (though that wasn’t strictly the original exploit, rather some Australian script-kiddie’s repurposing of a Dutch exploit from earlier in the month); to sum it all up in a sentence, bad things can happen to your hardware if you install software without changing the default password. As a sensible and experienced web denizen, you knew that already, of course.

But when you set or change a password, you’d better make the effort to think up a good one. Countless studies have shown how easy it is for black-hat types to guess the most common passwords (or alternatively social-engineer them out of you), but the ease of guessing is going to increase rapidly very soon, thanks to something one free software geek from Norway is calling the Hail Mary Cloud. [image by Anna Gay]

Yeah, I know, the pop-culture reference is a bit obscure, so I’ll sum it up for you: the Hail Mary Cloud is essentially a brute-force password-guessing botnet that has been scraping away at SSH daemons in recent months. A Mechanical Turk method of botnet expansion, in other words; why wait for someone to click on a spam email link when you can prise open a back-door on a webserver somewhere? [via SlashDot]

Each attempt in theory has monumental odds against succeeding, but occasionally the guess will be right and they have scored a login. As far as we know, this is at least the third round of password guessing from the Hail Mary Cloud, but there could have been earlier rounds that escaped our attention.

The fact that we see the Hail Mary Cloud keeping up the guessing is a strong indicator that there are a lot of guessable passwords and possibly badly maintained systems out there, and that even against the very long odds they are succeeding often enough in their attempts to gain a foothold somewhere that it is worth keeping up the efforts. For one thing, the cost of using other people’s equipment is likely to be quite low.

There are a lot of things about the Hail Mary Cloud and its overseers that we do not know. People who responded to the earlier articles with reports of similar activity also reported pretty consistently something like a sixty to seventy percent match in hosts making the attempts.

With 1767 hosts in the current sample it is likely that we have a cloud of at least several thousand, and most likely no single guessing host in the cloud ever gets around to contacting every host in the target list. The busier your SSH deamon is with normal traffic, the harder it will be to detect the footprint of Hail Mary activity, and likely a lot of this goes undetected.

If you’re worried, you’re thinking right – even the most complex of passwords can be guessed if you’ve got enough processor cycles (and available attempts) to spare. If the Hail Mary Cloud grows big enough, the era of the password as an even partially effective security method may be over… so start genning up on public key encryption now and avoid the rush.