New Botnet Written from Scratch Targets SSH Servers

Security researchers discovered a new botnet, named FritzFrog, that targets SSH servers, with the potential of infecting millions of IoT devices.

Most botnets are based on previous releases, but new ones appear from time to time. FritzFrog is one such botnet, written in Golang from scratch and using a modular approach. The operators seem to target education institutions, government agencies, financial organizations and more.

FritzFrog uses its own P2P solution, which makes it stand apart from the competition. Also, its operators are not interested in regular consumers, aiming the malware at more official targets that give them a lot of leverage when infection succeeds.

Since it’s actively breaching SSH servers, all IoT devices using this functionality are exposed, including routers. Among the biggest security issues in the IoT ecosystem are exposed SSH ports, either left open by mistake or by design.

“With its decentralized infrastructure, it distributes control among all its nodes,” said the security researchers from Guardicore. “In this network with no single point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date.”

“P2P communication is done over an encrypted channel, using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange,” they continue. “Is completely volatile and leaves no traces on the disk. It creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines.”

The researchers wrote a program that allowed them to intercept the P2P communications and to see the entire network. Administrators have a few indicators of compromise they can use.

They can check to see if a fileless process nginx is running on the server, and if it’s listening on port 1234. If a reboot is not possible, admins should kill the fake process, block the port (including 5555 used for cryptominers) and block the traffic to the ‘xmrpool.eu’ domain.