Researchers have found that what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly attack millions of servers around the world.
The botnet uses proprietary software written from the ground up to infect servers and integrate them into a peer-to-peer network, researchers at security firm Guardicore Labs reported Wednesday. P2P botnets spread their management over many infected nodes instead of relying on a control server to send commands and receive stolen data. Without a central server, botnets are generally harder to detect and more difficult to shut down.
"What was fascinating about this campaign was that at first glance there was no obvious command and control (CNC) server connected," wrote Guardicore Labs researcher Ophir Harpaz. "Shortly after starting the research, we understood that there was no CNC at all."
The botnet, dubbed the FritzFrog by Guardicore Labs researchers, offers a number of other advanced features, including:
- In-memory payload that never touches the hard drives of infected servers.
- At least 20 versions of the software binary since January.
- A single focus is on infecting Secure Shell or SSH servers that network administrators use to manage computers.
- The ability to bring infected servers behind the door.
- A list of combinations of credentials that are used to identify weak login passwords that are "larger" than those found in botnets previously seen.
All together and …
Taken together, the attributes indicate an above-average operator who has invested considerable resources in building a botnet that is effective, difficult to detect, and resistant to shutdowns. The new code base – combined with rapidly evolving versions and payloads that only run in memory – make it difficult for antivirus and other endpoint protectors to detect the malware.
The peer-to-peer design makes it difficult for researchers or law enforcement agencies to cease operations. The typical means of shutdown is to take control of the command and control server. This conventional measure does not work on servers infected with FritzFrog that control each other in a decentralized manner. Peer-to-peer also makes it impossible to search control servers and domains for evidence of the attackers.
Harpaz said corporate researchers first stumbled upon the botnet in January. Since then, it has targeted tens of millions of IP addresses from government agencies, banks, telecommunications companies and universities. The botnet has so far succeeded in infecting 500 servers belonging to "well-known universities in the USA and Europe and a railway company".
Once installed, the malicious payload 30 can execute commands, including those that run scripts and download databases, logs or files. To bypass firewalls and endpoint protection, attackers forward commands via SSH to a Netcat client on the infected computer. Netcat then connects to a "malware server". (The mention of this server suggests that FritzFrog's peer-to-peer structure may not be absolute. Or it is possible that the “malware server” is hosted on one of the infected computers rather than on a dedicated server Guardicore Labs researchers weren't available for clarification immediately.)
To infiltrate and analyze the botnet, the researchers developed a program that exchanges encryption keys that the botnet uses to send commands and receive data.
"With this program, which we called Frogger, we were able to examine the nature and extent of the network," wrote Harpaz. "With Frogger, we were also able to join the network by" injecting "our own nodes and participating in ongoing P2P traffic."
Before restarting infected computers, FritzFrog installs a public encryption key in the "authorized_keys" file on the server. The certificate acts as a back door in case the weak password is changed.
Wednesday's results suggest that administrators who fail to protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that is difficult to see for the untrained eye. The report includes a link to compromise indicators and a program that can be used to detect infected computers.