Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:10 PM
Connect Directly

Sophisticated P2P Botnet Targeting SSH Servers

'FritzFrog' is fileless, uses its own proprietary P2P implementation, and has breached at least 500 servers so far, Guardicore says.

Researchers at Guardicore Labs have discovered a sophisticated peer-to-peer (P2P) botnet actively targeting SSH servers worldwide since at least January 2020.

The botnet, dubbed FritzFrog, has been observed attempting to brute-force and spread to tens of millions of IP addresses including those belonging to government offices, banks, telecom companies, medical centers, and educational institutions. So far, FritzFrog has breached at least 500 SSH servers at multiple well-known universities in the US and Europe and one railway company, according to Guardicore.

Like other P2P botnets, FritzFrog does not have a centralized command-and-control infrastructure. Instead, control is distributed among all nodes on the network, with each node having the ability to target systems and to communicate with and update each other, over an encrypted channel. Security experts consider such botnets a lot harder to take down than centralized botnets because they don't have one single point of failure or point of control.

Multiple features though make FritzFrog different from — and more dangerous than — other botnets. The malware, which is written in the GO programming language, operates completely in memory. The malware leaves no traces on disk because it assembles and executes payloads and shares files all in-memory.

Each node on the FritzFrog botnet stores a constantly updated database of targets, breached machines, and peers. Guardicore's analysis shows that no two nodes on the botnet attempt to attack the same target machine. Instead they use a sort of "vote-casting" process to distribute targets evenly across the network, the security vendor says. Once on a system, the malware drops a backdoor that allows attackers to potentially regain access to a compromised machine even if the malware is removed.

Significantly, FritzFrog's P2P implementation also appears to have been developed from scratch and relies on no known protocols, suggesting its developers are highly sophisticated, Guardicore said in a report Wednesday.

"FritzFrog is not the first fileless bot; but it might be the first fileless P2P botnet," says Ophir Harpaz, security researcher at Guardicore. The malware's completely in-memory file-transfer system "is a torrent-like approach that we've rarely - and perhaps never - seen previously used in malware."

Harpaz says that the FritzFrog samples that Guardicore analyzed show the malware to be currently executing a Monero cryptominer. However, it is highly unlikely that the miner is a top priority for the attackers, she says. What seems much more probable is that the attackers are interested in obtaining access to and gaining control over breached SSH servers so they can sell access to these servers in underground markets. 

P2P Botnet-For-Hire

"Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service," Harpaz says. "Since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet," and be used for distributing malware or other malicious activity.

According to Guardicore, each node on the FritzFrog botnet is capable of launching brute-force password guessing attacks to try and break into SSH servers. The dictionary of credentials that Guardicore uses to brute-force its way into systems is more extensive than that normally used by P2P botnets.

Disrupting the FritzFrog botnet can be challenging since each node on the network effectively functions like a command-and-control server, Harpaz says. "In the regular client-server botnets, taking down the single command and control server will remove the stinger from the bee. This is not the case with P2P networks," she says.

Guardicore has released a detection script that organizations can use to check for the presence of the malware on SSH servers.

P2P botnets like FritzFrog continue to be relatively rare. However they are a growing threat. One of the more notable examples of a P2P botnet is DDG, a cryptomining botnet that researchers from NetLab first reported in Jan 2018. The botnet started off as a typical, centrally controlled network of infected machines. But it has kept constantly evolving and now has a P2P communications capability though it also uses a static C2 server.

Mozi, an IoT botnet that researchers at CenturyLink discovered earlier this year is another example. The malware combines code from three older IoT malware variants — Mirai, Gafgyt, and IoT Reaper — and grew to about 2,200 nodes at its peak.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...