New P2P botnet infects SSH servers all over the world

New P2P botnet infects SSH servers all over the world

Researchers have found what they believe may be a previously undiscovered botnet that uses unusually advanced measures to covertly target many servers around the world.

The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. P2P botnets distribute their administration among many infected nodes instead of counting on an impact server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to identify and harder to pack up.
“What was intriguing about this campaign was that, initially sight, there was no apparent command and control (CNC) server being connected to,” Guardicore Labs researcher Ophir Harpaz wrote. “It was shortly after the start of the research once we understood no CNC existed within the first place.”

The botnet, with Guardicore Labs researchers, have named FritzFrog, features a host of other advanced features, including:

  • In-memory payloads that never touch the disks of infected servers.
  • At least 20 versions of the software binary since January.
  • A sole specialize in infecting secure shell, or SSH, servers that network administrators use to manage machines.
  • The ability to backdoor infected servers.
  • A list of login credential combinations wont to check weak login passwords that’s more “extensive” than those in previously seen botnets.

Put that each one together and...

Taken together, the attributes indicate an above-average operator who has invested considerable resources to create a botnet that’s effective, difficult to detect, and resilient to takedowns. The new code base—combined with rapidly evolving versions and payloads that run only in memory—make it hard for antivirus and other endpoint protection to detect the malware.

The peer-to-peer design makes it difficult for researchers or enforcement to pack up the operation. the standard means of the takedown is to seize control of the command-and-control server. With servers infected with FritzFrog exercising decentralized control of every other, this traditional measure doesn’t work. Peer-to-peer also makes it impossible to sift through control servers and domains for clues about the attackers.

Harpaz said that company researchers first came across the botnet in January. Since then, she said, it's targeted tens of many IP addresses belonging to government agencies, banks, telecom companies, and universities. The botnet has thus far succeeded in infecting 500 servers belonging to “well-known universities within the US and Europe, and a railway company.”


Once installed, the malicious payload can execute 30 commands, including people who run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a “malware server.” (Mention of this server suggests that the FritzFrog peer-to-peer structure might not be absolute. Or it’s possible that the “malware server” is hosted on one among the infected machines, and not on a fanatical server. Guardicore Labs researchers weren’t immediately available to clarify.)

To infiltrate and analyze the botnet, the researchers developed a program that exchanges encryption keys the botnet uses to send commands and receive data.

“This program, which we named frogger, allowed us to research the character and scope of the network,” Harpaz wrote. “Using frogger, we were also ready to join the network by ‘injecting’ our nodes and participating within the ongoing P2P traffic.”

Before infected machines reboot, FritzFrog installs a public encryption key to the server’s “authorized_keys” file. The certificate acts as a backdoor within the event the weak password gets changed.

The takeaway from Wednesday’s findings is that administrators who don’t protect SSH servers with both a robust password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect. The report features a link to indicators of compromise and a program that will spot infected machines.

Post a Comment

Previous Post Next Post