Harpaz said that company researchers first stumbled on the botnet in January. Since then, she said, it has targeted tens of millions of IP addresses belonging to government agencies, banks, telecom companies, and universities. The botnet has so far succeeded in infecting 500 servers belonging to “well-known universities in the US and Europe, and a railway company.”
Full featured
Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a “malware server.” (Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it’s possible that the “malware server” is hosted on one of the infected machines, and not on a dedicated server. Guardicore Labs researchers weren’t immediately available to clarify.)
To infiltrate and analyze the botnet, the researchers developed a program that exchanges encryption keys the botnet uses to send commands and receive data.
“This program, which we named frogger, allowed us to investigate the nature and scope of the network,” Harpaz wrote. “Using frogger, we were also able to join the network by ‘injecting’ our own nodes and participating in the ongoing P2P traffic.”
Before infected machines reboot, FritzFrog installs a public encryption key to the server’s “authorized_keys” file. The certificate acts as a backdoor in the event the weak password gets changed.
The takeaway from Wednesday’s findings is that administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect. The report has a link to indicators of compromise and a program that can spot infected machines.