A New Botnet Is Covertly Targeting Millions of Servers (wired.com) 27
An anonymous reader quotes a report from Wired: FritzFrog has been used to try and infiltrate government agencies, banks, telecom companies, and universities across the US and Europe. Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world. The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. Peer-to-peer (P2P) botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down.
The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including: In-memory payloads that never touch the disks of infected servers; At least 20 versions of the software binary since January; A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines; The ability to backdoor infected servers; and A list of login credential combinations used to suss out weak login passwords that's more "extensive" than those in previously seen botnets. Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that's effective, difficult to detect, and resilient to takedowns. The new code base -- combined with rapidly evolving versions and payloads that run only in memory -- make it hard for antivirus and other end-point protection to detect the malware.
The botnet has so far succeeded in infecting 500 servers belonging to "well-known universities in the US and Europe, and a railway company."Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a "malware server." (Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it's possible that the "malware server" is hosted on one of the infected machines, and not on a dedicated server. Guardicore Labs researchers weren't immediately available to clarify.)
The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including: In-memory payloads that never touch the disks of infected servers; At least 20 versions of the software binary since January; A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines; The ability to backdoor infected servers; and A list of login credential combinations used to suss out weak login passwords that's more "extensive" than those in previously seen botnets. Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that's effective, difficult to detect, and resilient to takedowns. The new code base -- combined with rapidly evolving versions and payloads that run only in memory -- make it hard for antivirus and other end-point protection to detect the malware.
The botnet has so far succeeded in infecting 500 servers belonging to "well-known universities in the US and Europe, and a railway company."Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a "malware server." (Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it's possible that the "malware server" is hosted on one of the infected machines, and not on a dedicated server. Guardicore Labs researchers weren't immediately available to clarify.)
SSH as attack vector? (Score:2)
So who is at risk are basically morons that cannot use good passwords and are too incompetent to use certificate-based authentication for their servers or jump-hosts. Will be interesting to see how many they can compromise.
Re: (Score:2)
I'm fine letting random idiots have root on a server. As long as the server doesn't hold any important data and the egress is monitored to triggered alerts, at the very least block mail traffic to keep it from being a spam host.
Any misbehavior and IT should blow the server away (easy if it's a VM) and re-install. Didn't setup automated backups? That's too bad! For example restic [restic.net] takes like 15 minutes to setup on Linux or Windows.
Re: (Score:2)
I like the way you think ;-)
Re: (Score:2)
Any reasonably competent admin should be running Fail2Ban or something similar to prevent dictionary attacks.
Re: (Score:2)
Indeed, but you get so many dictionary attacks even if you only allows key auth that it becomes bugging. So, I moved all my ssh daemons open to the Internet to non standard ports and I haven seen one since. You may also only allow access for some set of IPs with ipsets. All these strategies add up to diminish the risk of getting infected. Of course, only use strong passwords if you allow password login and update your ssh daemons and libs as well.
Re: (Score:2)
Meh. They'll never find my password in any dictionary. It's:
1...
2...
3...
4...
5...
Re: (Score:3)
Re: (Score:2)
You never see the same IP address more than twice a day. It's VERY distributed.
Yep, I have first seen this behaviour appearing last year and wondered, my god, what is the size of this botnet? You can get scanned every second but from a different IP every time!
I searched to find which botnet that could be but i didn't find any information back then. Maybe this is what they are talking about in TFS. Hopefully, it didn't take that long to discover but maybe it is the case. I couldn't find anybody else reporting it last year when I searched. I can tell for sure that it has been around for
Re: SSH as attack vector? (Score:2)
Re: (Score:2)
Might work if only yourself need to access the server. Otherwise, too many customers forget about specifying a different port and would get banned without a chance to try again with the right port. In turn, we would get too many support tickets opened. Geoip blocking is more efficient especially if all your customers are in well defined area. Then again, it's kind of useless to bar an IP that only tries to login once a day like that botnet does (not sure it's the botnet mentioned in TFS but a botnet is acti
Re: (Score:2)
Additionally, look at at the iptables TARPIT target that greatly slows down tcp port scanning.
https://serverfault.com/questi... [serverfault.com]
Re: (Score:2)
Well, the "low intensity zombies" have been around forever and they have been successful. As long as too many people have bad security, this will continue.
Re: (Score:2)
This. Short of fail2ban or perhaps sshdfilter, if I have ssh exposed to the world with certificates only, (no password auth) I'm guessing I'm immune to this, correct?
Re: (Score:2)
This. Short of fail2ban or perhaps sshdfilter, if I have ssh exposed to the world with certificates only, (no password auth) I'm guessing I'm immune to this, correct?
Good passwords or certificate auth and you are immune. No need for anything else, unless you mind the log-entries or the (probably small) amount of CPU this consumes. Securing SSH is _easy_ and at least OpenSSH has an absolutely excellent security track record.
Targeting is not the same as infecting. (Score:1)
Re: (Score:2)
Can I feed you into my chipper/shredder? Asking for a friend.
Raspi (Score:2)
All of the neat Raspberry-Pi retro game boxes are looking pretty ripe right about now.
Jargon reaching new heights of absurdity (Score:2)
I hope they don't sue the malware researchers for violating their copyright!
Though if you wanted to make it sound maximally pretentious, you should have said
The botnet is a bespoke proprietary solution
Close your SSH port folks (Score:1)
Re: (Score:2)
AWS, DigitalOcean, Google Cloud, and other vendors should be actively scanning their IP space for SSH ports that are open to the world and notifying the account owners that they have 15 days to lock down the SSH port for long-running instances or get booted off their platforms. That would fix a lot of issues.
A lot of the SSH guessing attempts I'm seeing are coming from DigitalOcean IP addresses. Not so much Google or AWS.
Re: (Score:2)
Yep. Just recently I've had a lot of scans from DigitalOcean addresses.
Now, my firewall sends the whole subnet from any DigitalOcean scanner straight into the bit bucket.
Just call the Help Desk! (Score:2)
quote> In-memory payloads that never touch the disks of infected servers;
Doesn't anyone reboot any more? Aversion to rebooting is getting silly when downtime is now counted in 9 seconds or less.