Aurich Lawson
Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to target millions of servers around the world.
The botnet uses proprietary software written from scratch to infect and corrupt servers in a peer-to-peer network, investigators from security firm Guardicore Labs reported on Wednesday. P2P botnets spread their administration among many infected nodes instead of relying on a control server to send commands and receive pilgrim data. With no centralized server, botnets are generally harder to spot and harder to block.
“What was interesting about this campaign was that at first glance there was no apparent server and control (CNC) attached to it,” wrote Guardicore Labs researcher Ophir Harpaz. “It was shortly after the start of the investigation when we realized that there was no CNC in the first place.”
The botnet, with researchers from Guardicore Labs, named FritzFrog, has a host of other advanced features, including:
- Payloads in memory that never touch the disks of infected servers.
- At least 20 versions of the binary software since January.
- Only focus on infecting secure shell, like SSH, servers that use network administrators to manage machines.
- The ability to create infected servers backdoor.
- A list of login authentication combinations that are used to exploit weak login passwords that are more “comprehensive” than those in previously seen botnets.
Put it all together and …
Taken together, the attributes indicate that an above-average operator has invested a lot of resources to build a botnet that is effective, difficult to detect, and take further for takedowns. The new code base – combined with fast-evolving versions and payloads that run only in memory – make it difficult for antivirus and other endpoint protection to detect the malware.
The peer-to-peer design makes it difficult for investigators if law enforcement enforces the operation. The typical way to slow down is to manage the command-and-control server. With servers infected with FritzFrog exercising decentralized control over each other, this traditional measure does not work. Peer-to-peer also makes it impossible to search through control servers and domains for clues about the attackers.
Harpaz said company researchers first crashed into the botnet in January. Since then, she said, it has targeted tens of millions of IP addresses belonging to government agencies, banks, telecom companies, and universities. The botnet has so far managed to manage 500 servers belonging to “well-known universities in the US and Europe, and a rail company.”
Folsleine featured
Once installed, the malware can execute 30 commands, including those that execute scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe out SSH commands to a netcat client on the infected machine. Netcat then connects to a “malware server.” Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it is possible that the ‘malware server’ may be hosted on one of the infected machines, rather than a dedicated server. Guardicore Labs researchers were immediately available to clarify.)
To infiltrate and analyze the botnet, the researchers developed a program that exchanges encryption keys that the botnet uses to send commands and receive data.
“This program, which we called frogger, allowed us to explore the nature and scope of the network,” Harpaz wrote. “With frogger, we were also able to join the network by ‘injecting’ our own nodes and participating in the ongoing P2P traffic.”
Before restarting infected machines, FritzFrog installs a public encryption key for the server’s “authorized_keys” file. The certificate acts as a backdoor in case the weak password is changed.
Recording Wednesday’s findings is that administrators who do not protect SSH servers with both a strong password and a cryptographic certificate, can already be infected with malware that is difficult for the untrained eye to detect. The report has a link to indicators of compromise and a program that can spot infected machines.
