A new P2P botnet is infecting SSH servers all over the world

A previously undiscovered botnet has been discovered by researchers. This botnet uses unusually advanced measures in order to covertly target millions of servers around the world.

The proprietary software for this botnet was written from scratch in order to infect servers and corral them into a peer-to-peer network.

Botnets are difficult to spot and even more difficult to shut down, as they have no centralized server.

Instead, P2P botnets distribute their administration among many infected nodes.

The botnet, named FritzFrog by Guardicore Labs, has many advanced features, including:

In-memory payloads

20+ versions of the software binary – since January 2020

A singular focus on infecting SSH servers – the servers that network administrators use to manage devices

The ability to circumvent authentication requirements

A list of login credential combinations in order to seek out weak login passwords

The peer-to-peer nature of this botnet makes it more difficult than normal for researchers and law enforcement to shut down the operation.

As the typical means of taking down botnet is to take control of the command-and-control server, this peer-to-peer nature makes the traditional measure of takedown impossible.

This peer-to-peer nature of the botnet also makes it impossible to sift through control servers and domains for clues on the identity of the hackers.

This botnet works fast.

Once the botnet has installed on the server, malicious code can execute 30 commands that run scripts in order to download databases, logs, and/or files.

In order to evade firewalls and endpoint protection, attackers send commands over SSH to a netcat client on the infected machine.

So far, this botnet has succeeded in infecting 500+ servers.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648