New P2P botnet infects SSH servers around the world

Researchers have discovered what they believe is a previously unknown botnet that uses exceptionally advanced metrics to covertly target millions of servers around the world.

The botnet uses proprietary software written from scratch to infect servers and integrate them into a peer-to-peer network, researchers from security firm Guardicore Labs reported Wednesday. P2P botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive stolen data. Without a centralized server, botnets are generally harder to spot and harder to shut down.

“What was intriguing about this campaign was that at first glance there was no apparent Command and Control Server (CNC) it was connected to,” wrote Guardicore Labs researcher Ophir Harpaz. “It was not long after the start of the research that we realized that no CNC existed at the start.”

The botnet, which Guardicore Labs researchers named FritzFrog, has a host of other advanced features, including:

• Payloads in memory that never touch the disks of infected servers.
• At least 20 versions of the binary software since January.
• A single focus on infecting Secure Shell, or SSH, servers that network administrators use to manage machines.
• The backdoor capacity of infected servers.
• A list of login ID combinations used to identify weak login passwords that are more “strong” than those of previously seen botnets.

Put it all together and …

Taken together, the attributes indicate an above-average operator who has invested significant resources to create an efficient botnet that is difficult to detect and resilient to deletions. The new code base, combined with rapidly evolving versions and payloads that only run in memory, make it difficult for antivirus and other endpoint protection systems to detect malware.

The peer-to-peer design makes it difficult for researchers or law enforcement to stop the operation. The typical way of withdrawal is to take control of the Command and Control server. With FritzFrog infected servers exercising decentralized control over each other, this traditional measure does not work. Peer-to-peer also makes it impossible to sift through control servers and domains for clues about attackers.

Harpaz said company researchers first discovered the botnet in January. Since then, she said, it has targeted tens of millions of IP addresses belonging to government agencies, banks, telecommunications companies and universities. The botnet has so far succeeded in infecting 500 servers belonging to “well-known universities in the United States and Europe, and a railway company”.

Full functionality

Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To bypass firewalls and endpoint protection, attackers route commands over SSH to a netcat client on the infected machine. Netcat then connects to a “malicious server”. (The mention of this server suggests that FritzFrog’s peer-to-peer structure may not be absolute. Or it is possible that the “malicious server” is hosted on one of the infected machines, and not on a dedicated server. Guardicore Labs researchers weren’t immediately available for clarification.)

To infiltrate and analyze the botnet, the researchers developed a program that exchanges the encryption keys that the botnet uses to send commands and receive data.

“This program, which we named frogger, allowed us to study the nature and scope of the network,” Harpaz wrote. “Thanks to Frogger, we were also able to join the network by ‘injecting’ our own nodes and participating in the ongoing P2P traffic.”

Before restarting infected machines, FritzFrog installs a public encryption key in the “authorized_keys” file on the server. The certificate acts as a backdoor in the event of a weak password change.

The takeaway from Wednesday’s findings is that administrators who fail to protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that is difficult for an administrator to detect. untrained eye. The report contains a link to indicators of compromise and a program capable of detecting infected machines.