‘Butter’ attack still victimizing Linux servers: Report

To many people, butter is a basic food that is used widely in cooking and eating. It’s also the username an attack group has been using after breaking into Linux servers.

Which is why GuardiCore Labs has dubbed an attack campaign that has been going on for several years “Butter.” And like its namesake, simplicity is the key to its success.

“The Butter attackers break into servers by brute forcing SSH [secure shell] credentials,” the security vendor said in an analysis released Thursday. “This technique, while basic, is still incredibly effective worldwide. Weak and unsecured machines still exist by the tens of thousands across all industries ranging from tiny IoT devices to large servers.”

The group or person behind this campaign are apparently happy with the way it has been going: A  new payload was released over the summer.

Since 2015 GuardiCore said sensors on customer products have detected thousands of attacks with the butter signature in different intensities. Unusually, over the last two years they have originated from four IP addresses in Hong Kong or Singapore.

There have been two common payloads, which GuardiCore dubbs “80″ and “samba.” 80, the older and more prevalent, is a x64 variant of the well-known DDoS payload XOR.DDOS with the filename 80. The report says this is a modern remote access tool with DDoS functionality that runs itself persistently using cron, kills competitor malware, and installs a Linux kernel rootkit to hide its tracks.

Graphic from GuardiCore

Samba, named after one of the file names it disguises itself in, was first detected in July of this year. In addition to carrying a RAT it can also download files, execute shell commands, can join in DDoS attacks and it includes built-in functionality to download and run a Monero cyrptominer. Since it first showed up GuardiCore has seen seven versions of this malware.

By ‘laying low’ and avoid making attribution mistakes, the group or person behind this campaign have managed to stay stealthy with a relatively simple infrastructure, says the analysis.

To protect against this attack infosec teams should focus on locking down systems, says GuardiCore, paying attention to machine credentials policies to block weak passwords. Routinely review who and what can access the servers. Monitoring outbound connections could easily uncover compromised devices communicating with cryptocurrency mining pools, it adds.

Check for compromised Linux servers by searching for a user named butter. To check if a specific user exists in a system run the command id -u butter.  If the user exists, you will get an output giving the user’s ID, which should be 0.

“We continuously find that the most basic attack methods that worked 10 years ago still work and will probably continue to be effective in the future,” warns the report. “Brute forcing credentials and simple persistence methods such as adding users to the system are not going away anytime soon. The signature user butter was first mentioned in a thesis from 2015 and until today continues to show up in many “top lists” of SSH honeypots.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now