26 August 2020

Meet A New BotNet > FritzFrog

Just 'hanging out?
Proceed with caution
A New Botnet Is Covertly Targeting Millions of Servers 
FritzFrog has been used to try and infiltrate government agencies, banks, telecom companies, and universities across the US and Europe
Skulls circle a server in a cloud
Illustration: Elena Lacey
_________________________________________________________________________

ARS TECHNICA
Dan Goodin, Ars Technica
This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast.
The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday.
Peer-to-peer (P2P) botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down.
__________________________________________________________________________
Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world...
The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including:
  • In-memory payloads that never touch the disks of infected servers
  • At least 20 versions of the software binary since January
  • A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines
  • The ability to backdoor infected servers
  • A list of login credential combinations used to suss out weak login passwords that’s more “extensive” than those in previously seen botnets
Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that’s effective, difficult to detect, and resilient to takedowns. The new code base—combined with rapidly evolving versions and payloads that run only in memory—make it hard for antivirus and other end-point protection to detect the malware.
The peer-to-peer design makes it difficult for researchers or law enforcement to shut down the operation. . .
To infiltrate and analyze the botnet, the researchers developed a program that exchanges encryption keys the botnet uses to send commands and receive data.
“This program, which we named Frogger, allowed us to investigate the nature and scope of the network,” Harpaz wrote. “Using Frogger, we were also able to join the network by ‘injecting’ our own nodes and participating in the ongoing P2P traffic.”
Before infected machines reboot, FritzFrog installs a public encryption key to the server’s “authorized_keys” file. The certificate acts as a backdoor in the event the weak password gets changed.
The takeaway from Wednesday’s findings is that administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect. The report has a link to indicators of compromise and a program that can spot infected machines.
Read more > Wired.com