ClickCease New SSH-Snake Worm-Like Tool Threatens Network Security

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

New SSH-Snake Worm-Like Tool Threatens Network Security

Rohan Timalsina

March 7, 2024 - TuxCare expert team

The Sysdig Threat Research Team (TRT) discovered that a threat actor is leveraging an open-source network mapping tool called SSH-Snake for malicious activities. This tool utilizes SSH credentials found on the compromised systems to propagate itself across networks.

Released on January 4, 2024, SSH-Snake is a bash shell script engineered to autonomously search breached systems for SSH credentials and leverage them for propagation. One notable feature of it includes the capacity for self-modification and size reduction during initial execution, achieved by removing comments, redundant functions, and whitespace from its code.


SSH-Snake Hunts for Private Keys


Following an intrusion, attackers often employ a common strategy: lateral movement, where they seek out additional targets within the system. SSH-Snake takes this lateral movement to the next level by meticulously hunting for private keys. This self-modifying worm is more effective and successful than normal SSH worms because it avoids the characteristics that are easily recognized in scripted attacks and instead offers better stealth, flexibility, configurability, and thorough credential discovery.

The worm is designed to find SSH keys in various locations, including shell history files, creating a map of a network and its dependencies. After mapping the network, it determines potential vulnerabilities exploitable via SSH and SSH private keys from a specific host.

Employing a myriad of direct and indirect methods, SSH-Snake finds private keys on compromised systems by:

  • Searching common directories and files where SSH keys and credentials are typically stored, such as .ssh directories and config files.
  • Parsing shell history files (e.g., .bash_history, .zsh_history) to identify commands (ssh, scp, rsync) referencing SSH private keys.
  • Utilizing the ‘find_from_bash_history’ feature to parse bash history for SSH-related commands, uncovering direct references to private keys and associated credentials.
  • Analyzing system logs and network cache (ARP tables) to pinpoint potential targets and gather information leading to private key discovery.




SSH-Snake leverages SSH keys to spread across networks and its fileless nature makes it challenging to detect. According to researchers, it has been employed offensively against approximately 100 victims. The discovery of malicious utilization of SSH-Snake shows an “evolutionary step” in malware development, targeting a widely used secure connection method prevalent in enterprise environments. To identify such attacks, runtime threat detection tools like Sysdig Secure or Open Source Falco can be employed.

Discover how attackers target poorly secured Linux SSH servers.


The sources for this article include a story from BleepingComputer.

New SSH-Snake Worm-Like Tool Threatens Network Security
Article Name
New SSH-Snake Worm-Like Tool Threatens Network Security
Uncover the stealthy threat of SSH-Snake, a self-modifying worm discovered by Sysdig TRT, targeting private keys for lateral movement.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter