Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:10 PM
Connect Directly

Sophisticated P2P Botnet Targeting SSH Servers

'FritzFrog' is fileless, uses its own proprietary P2P implementation, and has breached at least 500 servers so far, Guardicore says.

Researchers at Guardicore Labs have discovered a sophisticated peer-to-peer (P2P) botnet actively targeting SSH servers worldwide since at least January 2020.

The botnet, dubbed FritzFrog, has been observed attempting to brute-force and spread to tens of millions of IP addresses including those belonging to government offices, banks, telecom companies, medical centers, and educational institutions. So far, FritzFrog has breached at least 500 SSH servers at multiple well-known universities in the US and Europe and one railway company, according to Guardicore.

Like other P2P botnets, FritzFrog does not have a centralized command-and-control infrastructure. Instead, control is distributed among all nodes on the network, with each node having the ability to target systems and to communicate with and update each other, over an encrypted channel. Security experts consider such botnets a lot harder to take down than centralized botnets because they don't have one single point of failure or point of control.

Multiple features though make FritzFrog different from — and more dangerous than — other botnets. The malware, which is written in the GO programming language, operates completely in memory. The malware leaves no traces on disk because it assembles and executes payloads and shares files all in-memory.

Each node on the FritzFrog botnet stores a constantly updated database of targets, breached machines, and peers. Guardicore's analysis shows that no two nodes on the botnet attempt to attack the same target machine. Instead they use a sort of "vote-casting" process to distribute targets evenly across the network, the security vendor says. Once on a system, the malware drops a backdoor that allows attackers to potentially regain access to a compromised machine even if the malware is removed.

Significantly, FritzFrog's P2P implementation also appears to have been developed from scratch and relies on no known protocols, suggesting its developers are highly sophisticated, Guardicore said in a report Wednesday.

"FritzFrog is not the first fileless bot; but it might be the first fileless P2P botnet," says Ophir Harpaz, security researcher at Guardicore. The malware's completely in-memory file-transfer system "is a torrent-like approach that we've rarely - and perhaps never - seen previously used in malware."

Harpaz says that the FritzFrog samples that Guardicore analyzed show the malware to be currently executing a Monero cryptominer. However, it is highly unlikely that the miner is a top priority for the attackers, she says. What seems much more probable is that the attackers are interested in obtaining access to and gaining control over breached SSH servers so they can sell access to these servers in underground markets. 

P2P Botnet-For-Hire

"Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service," Harpaz says. "Since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet," and be used for distributing malware or other malicious activity.

According to Guardicore, each node on the FritzFrog botnet is capable of launching brute-force password guessing attacks to try and break into SSH servers. The dictionary of credentials that Guardicore uses to brute-force its way into systems is more extensive than that normally used by P2P botnets.

Disrupting the FritzFrog botnet can be challenging since each node on the network effectively functions like a command-and-control server, Harpaz says. "In the regular client-server botnets, taking down the single command and control server will remove the stinger from the bee. This is not the case with P2P networks," she says.

Guardicore has released a detection script that organizations can use to check for the presence of the malware on SSH servers.

P2P botnets like FritzFrog continue to be relatively rare. However they are a growing threat. One of the more notable examples of a P2P botnet is DDG, a cryptomining botnet that researchers from NetLab first reported in Jan 2018. The botnet started off as a typical, centrally controlled network of infected machines. But it has kept constantly evolving and now has a P2P communications capability though it also uses a static C2 server.

Mozi, an IoT botnet that researchers at CenturyLink discovered earlier this year is another example. The malware combines code from three older IoT malware variants — Mirai, Gafgyt, and IoT Reaper — and grew to about 2,200 nodes at its peak.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...