New P2P botnet infects SSH servers all over the world

EnlargeAurich Lawson

Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world.

The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. P2P botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down.

“What was intriguing about this campaign was that, at first sight, there was no apparent command and control (CNC) server being connected to,” Guardicore Labs researcher Ophir Harpaz wrote. “It was shortly after the beginning of the research when we understood no CNC existed in the first place.”

The botnet, with Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including:

  • In-memory payloads that never touch the disks of infected servers.
  • At least 20 versions of the software binary since January.
  • A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines.
  • The ability to backdoor infected servers.
  • A list of login credential combinations used to suss out weak login passwords thats more “extensive” than those in previously seen botnets.

Put that all together and…

Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet thats effective, difficult to detect and resilient to takedowns. The new code base—combined with rapidly evolving versions and payloads that run only in memory—make it hard for antivirus and other end-point protection to detect the malware.

The peer-to-peer design makes it difficult for researchers or law enforcement to shut down the operation. The typical means of takedown is to seize control of the command-and-control server. With servers infected with FritzFrog exercising decentralized control of each other, this traditional measure doesnt work. Peer-to-peer also makes it impossible to sift through control servers and domains for clues about the attackers.

Harpaz said that company researchers first stumbled on the botnet in January. Since then, she said, it has targeted tens of millions of IP addresses belonging to government agencies, banks, telecom companies, and universities. The botnet has so far succeeded in infecting 500 servers belonging to “well-known universities in the US and Europe, and a railway company.”

Full featured

Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to Read More – Source