New P2P botnet infects SSH servers everywhere in the world


Aurich Lawson

Researchers have found that they believe it is a previously undiscovered botnet that uses unusually advanced measures to covertly attack millions of servers around the world.

The botnet uses proprietary software written from scratch to infect servers and integrate them into a peer-to-peer network, researchers at security firm Guardicore Labs reported on Wednesday. P2P botnets spread their management over many infected nodes instead of relying on a control server to send commands and receive stolen data. Without a central server, botnets are generally harder to detect and more difficult to shut down.

"The interesting thing about this campaign was that at first glance there was no obvious command and control (CNC) server connected," wrote Ophir Harpaz, researcher at Guardicore Labs. "Shortly after the research began, we understood that there was no CNC at all."

The botnet with researchers from Guardicore Labs named FritzFrog has a number of other advanced features, including:

  • In-memory payload that never touches the hard drives of infected servers.
  • At least 20 versions of the software binary since January.
  • A single focus is on infecting Secure Shell or SSH servers that network administrators use to manage computers.
  • The ability to open infected servers through backdoor.
  • A list of combinations of credentials used to identify weak login passwords that are "larger" than those found in botnets previously seen.

All together and …

Taken together, the attributes indicate an above-average operator who has invested considerable resources in building a botnet that is effective, difficult to detect and resistant to shutdowns. The new code base – combined with rapidly evolving versions and payloads that only run in memory – make it difficult for antivirus and other endpoint protectors to detect the malware.

The peer-to-peer design makes it difficult for researchers or law enforcement agencies to cease operations. The typical means of shutdown is to take control of the command and control server. This conventional measure does not work on servers infected with FritzFrog that control each other decentrally. Peer-to-peer also makes it impossible to search control servers and domains for evidence of the attackers.

Harpaz said that corporate researchers first came across the botnet in January. Since then, it has targeted tens of millions of IP addresses from government agencies, banks, telecommunications companies and universities. So far, the botnet has succeeded in infecting 500 servers belonging to "well-known universities in the USA and Europe and a railway company".

Fully functional

Once installed, the malicious payload can run 30 commands, including those that run scripts and download databases, logs, or files. To bypass firewalls and endpoint protection, attackers forward commands via SSH to a Netcat client on the infected computer. Netcat then connects to a "malware server". (The mention of this server suggests that FritzFrog's peer-to-peer structure may not be absolute. Or it is possible that the “malware server” is hosted on one of the infected computers rather than on a dedicated server The Guardicore Labs researchers were not immediately available to clarify.)

In order to infiltrate and analyze the botnet, the researchers developed a program that exchanges encryption keys with which the botnet sends commands and receives data.

"With this program, which we called Frogger, we were able to examine the nature and extent of the network," wrote Harpaz. "With Frogger, we were also able to join the network by" injecting "our own nodes and participating in ongoing P2P traffic."

Before restarting infected computers, FritzFrog installs a public encryption key in the "authorized_keys" file of the server. The certificate acts as a back door in case the weak password is changed.

Wednesday's results show that administrators who do not protect SSH servers with a strong password and cryptographic certificate may already be infected with malware that is difficult to see for the untrained eye. The report contains a link to compromise indicators and a program that can be used to detect infected machines.


Please enter your comment!
Please enter your name here