It’s tougher than ever to take down SSH botnet after a period of hiding out

It's tougher than ever to take down SSH botnet after a period of hiding out

An unusual botnet was found two years ago that had evaded all attempts to shut it down. This botnet had 500 servers spread among dozens of institutions and corporations throughout the world. For the first time in 16 months, the FritzFrog botnet has resurfaced with new capabilities and a much wider number of infected computers, according to those researchers.

Beware of SSH servers!

SSH (secure shell) servers may be found on just about anything, from cloud servers to data centre servers to routers, and FritzFrog can install an extraordinarily complex payload developed from scratch. Researchers from Guardicore Labs (now Akamai Labs) revealed it in mid-2020, calling it a “next-generation” botnet due of its entire array of features and well-engineered architecture.

It had a decentralised, peer-to-peer design that spread management across numerous infected nodes rather than a single server, making it difficult to identify or take it down using standard means. It had a number of sophisticated features, like as

Deployment methods that don’t require a server to be physically compromised.
At least 20 binary versions of the programme have been released since January.
An exclusive concentration on infecting secure shell servers, which network administrators use to administer equipment
Access to compromised systems using a hidden backdoor
A more “extensive” list of login credential combinations than those previously found in botnets is employed to suss out weak login passwords.

FritzFrog’s network will have around 500 computers from well-known enterprises by August 2020. The P2P reduced the number of new infections after the report was released. An infection rate rise of tenfold has been observed since last December, according to Akamai researchers, who published their findings on Thursday.

Over the past several months, new features and more aggressive infection tactics have been added to the complex software that is always being upgraded. There are a number of companies it has infected, including a European television channel network, a Russian producer of health care equipment, and many institutions in East Asia.

FritzFrog spreads by searching the Internet for SSH servers and then trying to log in with a list of credentials when it finds one. An automated P2P network that uses botnet software to spread malicious software might be described as an unmanned aerial vehicle (UAV). While scanning millions of IP addresses across ports 22 and 2222, each server is continually listening for connections on port 1234. When it contacts other infected servers, the infected servers communicate data with each other to guarantee that all of them are running the newest malware version and have the most up-to-date database of targets and compromised devices.

FritzFrog uses SSH to send commands to a netcat client on the infected PC in order to avoid firewalls and endpoint security software. A “malware server” is hosted on an infected system, rather than a central server, and Netcat connects to this server instead.

Leave a Reply

Your email address will not be published. Required fields are marked *