After lying low, SSH botnet mushrooms and is harder than ever to take down

Two years ago, researchers stumbled upon one of the Internet’s most intriguing botnets: a previously undiscovered network of 500 servers, many in well-known universities and businesses around the world, that was impervious to normal takedown methods. After lying low for 16 months, those researchers said, the botnet known as FritzFrog is back with new capabilities and a larger base of infected machines.

SSH servers, beware

FritzFrog targets just about anything with an SSH, or secure shell, server—cloud instances, data center servers, routers, and the like—and installs an unusually advanced payload that was written from scratch. When researchers from security firm Guardicore Labs (now Akamai Labs) reported it in mid-2020, they called it a “next-generation” botnet because of its full suite of capabilities and well-engineered design.

 

It was a decentralized, peer-to-peer architecture that distributed administration among many infected nodes rather than a central server, making it hard to detect or take it down using traditional methods. Some of its advanced traits included:

 

• In-memory payloads that never touch the disks of infected servers
• At least 20 versions of the software binary since January
• A sole focus on infecting secure shell servers that network administrators use to manage machines
• The ability to backdoor infected servers
• A list of login credential combinations used to suss out weak login passwords that is more “extensive” than those in previously seen botnets

 

By August 2020, FritzFrog had corralled about 500 machines from well-known organizations into its network. Following the report, the P2P scaled down the number of new infections. Starting last December, Akamai researchers reported on Thursday, the botnet's infection rate increased tenfold and has now mushroomed to more than 1,500 machines.

 

The advanced software is updated daily to fix bugs and over the past several months has implemented new functionality and more aggressive infection methods. Among the organizations it has infected in its latest form are a European television channel network, a Russian manufacturer of health care equipment, multiple universities in East Asia and others in healthcare, higher education, and government.

 

FritzFrog spreads by scanning the Internet for SSH servers, and when it finds one, it attempts to log in using a list of credentials. When successful, the botnet software installs proprietary malware that makes it a drone in a sprawling, headless P2P network. Each server constantly listens for connections on port 1234 while simultaneously scanning thousands of IP addresses over ports 22 and 2222. When it encounters other infected servers, the servers exchange data with each other to ensure all of them are running the latest malware version and have the most up-to-date database of targets and infected machines.

 

To evade firewalls and endpoint protection software, FritzFrog pipes commands over SSH to a netcat client on the infected machine. Netcat then connects to a “malware server” hosted on an infected machine rather than a central server.

New bells and whistles

The latest version can proxy outgoing SSH connections using the Tor privacy network. This proxy forms a network of nodes that allows users to mask the origins of their commands and conceal them in an encrypted tunnel. Commands are passed from node to node until they reach their destination so that each node is only aware of its direct neighbors.

 

“By proxying requests to local port 9050, FritzFrog uses the Tor proxy chain to connect to owned SSH devices,” the Akamai researchers wrote in Thursday’s report. “An owned device would see the incoming request as coming from the last node in the proxy chain. This can be used to conceal the address of current infected nodes.”

 

The latest version also uses the secure copy protocol to copy itself to remote compromised servers, a change from versions seen in 2020 that used the cat command to drop and install an executable file over an established SSH connection. The new SCP functionality is implemented using this public library written in the Golang programming language.

 

The list of 30 commands found previously—for running scripts and downloading databases, logs, or files—has also been expanded to add the ability to target sites running the WordPress content management system. The disassembled code below shows the new command put wordpress, which adds new entries to lists titled "Wordpress" and "WordpressTargetsTTL."

 

As of the latest version analyzed by Akamai researchers, neither the Tor proxying nor the WordPress targeting was actually being used. The inclusion of the new functionality nonetheless indicates that FritzFrog is under constant development by experienced coders.

 

The updated botnet software also includes a new blocklist that prevents it from infecting low-end systems with low-end resources—such as Raspberry Pi devices or low-resource EC2 images on AWS. Interestingly, and for reasons that aren’t clear, the software also contains two curious entries. One blocks machines at the University of Maryland from being infected. A second—in perhaps a light-hearted acknowledgment that the botnet is being monitored by white hats—displays the following image:

 

Searching for clues

The researchers aren’t sure of the origin, but a new wallet address found in cryptomining processes was also used in a cryptomining campaign that researchers from Netlab 360 dubbed Mozi, which infected more than 1.5 million devices over a two-and-a-half-year period. Operators of that botnet were arrested in China last September, The Record reported.

 

Another possible link to China is the large concentration of infected machines in and around that country. About 37 percent of infections are in mainland China.

 

“These points of evidence, while not damning, lead us to believe a possible link exists to an actor operating in China or an actor masquerading as Chinese,” Akamai researchers wrote.

 

Because the malware doesn’t store any files on disk, it’s particularly difficult to spot. People who run SSH servers should check a list of compromise indicators to detect infections in their network. Additionally, SSH servers should always be protected by a strong password, two-factor authentication and a cryptographic certificate.