Hello and welcome to the Wednesday, January 3rd, 2004 edition of the Sans and at Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Wrote a quick diary today about Azage identification strings.

These are essentially these banners that are being sent as

S-H clients are connecting to S-S-S-H servers. Both sites will send a banner. It's mandated,

actually, in the standard that there must be a banner and how it's formatted. But aside from the S-H version beginning,

it's pretty much up to the implementer,

what exact string to use.

So I looked at our Anipods to see what

as-H banners are being sent there.

Well, LipsH is sort of by far the most popular one. That's the standard Unix

S.H library followed by Go. And Go is sort of interesting here. Go is not what I would

call a super popular language, certainly quite popular. And one thing where it's really sort of

excels at is these multi-threaded

clients and servers, which of course makes it a great language to write little scanning tools and

such, which is why we see it so much here with SSH. But the real lesson I want to get across here

is that you should track these SSH identification strings,

in particular as far as they exit your network.

Not too much that you can do about those that scan your network, and sure you have a ton of

Mirai in similar bots doing it, but if you take a look at what's exiting your network,

you may see, for example, some odd backdoor

or Trojan communicating or maybe just an out-of-date version of a tool

...