P2P botnet 'FritzFrog' that infects SSH servers around the world



Security researchers have reported the existence of a new type of

P2P botnet, ' FritzFrog, ' that targets a Secure Shell (SSH) server for securely communicating with remote computers using encryption and authentication technology.

FritzFrog: A New Generation of Peer-to-Peer Botnets | Guardicore Labs
https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/

New P2P botnet infects SSH servers all over the world | Ars Technica
https://arstechnica.com/information-technology/2020/08/new-p2p-botnet-infects-ssh-servers-all-over-the-world/

FritzFrog malware attacks Linux servers over SSH to mine Monero
https://www.bleepingcomputer.com/news/security/fritzfrog-malware-attacks-linux-servers-over-ssh-to-mine-monero/

Researchers at security company Guardicore have reported the existence of a P2P botnet called 'FritzFrog' that infects SSH servers using proprietary software created from scratch. Since FritzFrog runs P2P, it has the characteristic of distributing management to many infected nodes rather than relying on a control server to receive stolen data. As a result, it is difficult to completely shut down because there is no centralized server and it is difficult to discover.

'The interesting thing about Fritz Frog is that at first glance there is no explicit command and control (CNC) server connected to it,' said Guardicore security researcher Ophir Harpaz. It became clear after the investigation began.'



In FritzFrog, the attack starts when a malicious payload is installed on the target server. Once the payload is installed, you'll be able to execute about 30 different commands that can steal databases and logs and download files. Also, in order to avoid protection at firewalls and endpoints, FritzFrog uses a method of connecting commands to the malware server from Netcat by inserting a command into the

Netcat client of the infected machine via SSH server. In addition, it has been pointed out that this malware server may be hosted on one of the machines infected with FritzFrog, and it is said that it is likely to be a vulnerability of FritzFrog's P2P structure.

Guardicore summarizes the features of Fritz Frog, a P2P botnet, as follows.

· Detected in at least 20 versions of software binaries since January 2020.
· Focused on infecting SSH servers used by network administrators to manage machines.
・Introduces a backdoor on the infected server.
It is more extensive than previously detected botnets and uses a combined list of login credentials that are used to guess weak login passwords.

``To summarize these features, FritzFrog is a botnet that is effective, difficult to detect, and difficult to remove, so Ars Technica, a foreign technology media company, said that there are considerable resources to build this botnet. It is necessary and can be inferred to be above average operator used”. In addition, FritzFrog is paired with a rapidly evolving version and payload that runs only in memory, and is rated 'strong' for malware detection by antivirus and other endpoint protection. ..



FritzFrog works on P2P, so it's very difficult for security companies and law enforcement agencies to stop botnet operations. A typical remedy for this type of malware is to take control of the CNC server. However, if the FritzFrog-infected servers are performing decentralized control of each other, this method will not work.

Harpaz said that researchers in the company first discovered Fritz Frog around January 2020, and since then targeted tens of millions of IP addresses owned by government agencies, financial institutions, telecommunications companies, universities, etc. Fritz Frog has spread the infection. At the time of writing the article, it seems that Fritz Frog was infected by about 500 servers owned by 'famous American and European universities and railway companies'.

In addition, Guardicore is developing a program that exchanges the encryption keys used by the botnet to send commands and receive data in order to invade and analyze FritzFrog. 'This program, called Frogger, allows us to investigate the nature and scope of networks. Frogger allows us to 'insert' our nodes into botnets and perform P2P traffic. By joining us, we have been able to join the network.'

As pointed out, FritzFrog is a botnet that is very difficult to detect, but Guardicore publishes a FritzFrog detection script that runs on an SSH server, and by using this, the server owner can use his own server. It will be possible to check if is infected with Fritz Frog.

in Software,   Security, Posted by logu_ii