An international research team from the Max Planck Institute (MPI) for Informatics in Saarbrücken, Germany, and the Delft University of Technology in the Netherlands has developed a method to detect compromised hosts at internet scale by probing servers with public SSH keys previously observed in attacker operations. This way, the team was able to identify more than 16,000 compromised hosts. Their findings have now been published at one of the world’s leading conferences on computer system and network security, the USENIX Security Symposium 2025, where they were awarded a Distinguished Paper Award and the prestigious Internet Defense Prize.
Secure Shell (SSH) is one of the most common tools used to manage servers remotely. It provides a secure, encrypted channel between a client and a server, allowing users to log in, execute commands, and transfer files safely. SSH is widely used by system administrators and developers for maintaining and configuring remote systems. When a machine is compromised, attackers often install their own SSH keys to guarantee persistent access. From that moment on, they can freely connect and use the machine as they desire. This technique is stealthy: the legitimate user’s password remains unchanged, so typical alerts are never triggered. Detecting such compromises at internet scale is not a trivial task.
In their work presented at the USENIX Security Symposium 2025, one of the leading conferences on computer and network security, the team consisting of Cristian Munteanu, Prof. Dr. Anja Feldmann and Dr.-Ing. Tobias Fiebig of MPI for Informatics and Prof. Dr. Georgios Smaragadakis of Delft University of Technology introduced "Catch-22: Uncovering Compromised Hosts using SSH Public Keys".
The method relies on a subtle feature of SSH’s authentication protocol. When a client offers a public key, the server only responds with a cryptographic challenge if that key is on its list of authorized keys. By probing servers with public keys previously observed in attacker operations, it was possible to identify machines where those keys have been installed, indicating compromised systems. “Crucially, we never complete authentication, and we do not even know the private keys – the response with the challenge alone is enough,” explains first author Cristian Munteanu.
The researchers implemented this technique at internet scale by scanning both IPv4 and IPv6 address ranges with 52 keys, which could be linked by a collaborating company from the security sector to attacks of malicious actors like “teamtnt”, “mozi” or “fritzfrog”. To ensure reliability, they validated their findings across multiple SSH implementations, filtered out noisy servers using “canary” test keys, and cross-checked results against botnet intelligence. A “canary” key refers to a newly generated SSH key that is not installed on any server and, therefore, must never hit. If a server responds to this key, it is excluded from further scanning, as it may produce unreliable or misleading results. The scans revealed more than sixteen thousand compromised machines across hosting providers, enterprises, and academic networks, many of which were linked to known malware infrastructures.
To make a contribution to internet security beyond making the measurements, the researchers collaborated with the Shadowserver Foundation, and the German Federal Office for Information Security (BSI) as well as the Computer Emergency Response Team for Germany’s federal authorities (CERT-Bund) based there. The Shadowserver foundation is a nonprofit organization that specializes in large-scale security notifications to responsibly notify network operators and national Computer Emergency Response Teams (CERTs). Follow-up scans after Shadowserver’s reports showed a clear decrease in the number of compromised hosts.
“The main contribution of Catch-22 is to demonstrate that a long-standing internet protocol can be used in new ways to improve defense. The strength of the method lies in the fact that attackers cannot easily evade detection by switching to random keys for every compromised host, since managing thousands of unique keys across large botnets or infrastructures does not scale operationally,” says Anja Feldmann, Scientific Director of the Internet Architecture department at MPI for Informatics. By observing whether servers recognize known attacker keys, the new method can uncover compromises remotely, at scale, and with very few false positives. This turns the attackers’ own persistence strategy into a reliable signal for defenders and provides a practical tool to strengthen internet security.
The paper received a Distinguished Paper Award and the Internet Defense Prize at this year’s USENIX Security Symposium. Funded by Meta and awarded with USENIX since 2014, the Internet Defense Prize honors research that significantly enhances internet security. The prize recipients are selected independently by the USENIX Security Awards Committee.
Press contact:
Philipp Zapf-Schramm
Digital Communications Manager MPI for Informatics
Tel: +49 681 9325 4509
Email: pzs@mpi-inf.mpg.de
Dr.-Ing. Tobias Fiebig
Senior Researcher, Department Internet Architectur at MPI for Informatics
Email: tfiebig@mpi-inf.mpg.de
Munteanu, C., Smaragdakis, G., Feldmann, A., Fiebig, T. (2025). Catch-22: Uncovering Compromised Hosts using SSH Public Keys. In 34th USENIX Security Symposium. USENIX. https://www.usenix.org/system/files/usenixsecurity25-munteanu.pdf
https://edmond.mpg.de/dataset.xhtml?persistentId=doi:10.17617/3.LVPCS6 Open-access detection-tool
https://www.mpi-inf.mpg.de/de/departments/inet Website of the department Internet Architecture at MPI for Informatics
https://www.shadowserver.org/what-we-do/network-reporting/compromised-ssh-host-s... Shadowserver Special Report
Cristian Munteanu, first author of the award-winning paper.
Source: Philipp Zapf-Schramm
Copyright: Max Planck Institute for Informatics
Criteria of this press release:
Journalists
Information technology
transregional, national
Research results
English
You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).