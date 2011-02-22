After lying low, SSH botnet mushrooms and is harder than ever to take down:
Two years ago, researchers stumbled upon one of the Internet's most intriguing botnets: a previously undiscovered network of 500 servers, many in well-known universities and businesses around the world, that was impervious to normal takedown methods. After lying low for 16 months, those researchers said, the botnet known as FritzFrog is back with new capabilities and a larger base of infected machines.
FritzFrog targets just about anything with an SSH, or secure shell, server—cloud instances, data center servers, routers, and the like—and installs an unusually advanced payload that was written from scratch. When researchers from security firm Guardicore Labs (now Akamai Labs) reported it in mid-2020, they called it a "next-generation" botnet because of its full suite of capabilities and well-engineered design.
It was a decentralized, peer-to-peer architecture that distributed administration among many infected nodes rather than a central server, making it hard to detect or take it down using traditional methods.
Some of its advanced traits included:
- In-memory payloads that never touch the disks of infected servers
- At least 20 versions of the software binary since January
- A sole focus on infecting secure shell servers that network administrators use to manage machines
- The ability to backdoor infected servers
- A list of login credential combinations used to suss out weak login passwords that is more "extensive" than those in previously seen botnets
By August 2020, FritzFrog had corralled about 500 machines from well-known organizations into its network. Following the report, the P2P scaled down the number of new infections. Starting last December, Akamai researchers reported on Thursday, the botnet's infection rate increased tenfold and has now mushroomed to more than 1,500 machines.
(Score: 3, Funny) by Anonymous Coward on Sunday February 13, @12:45PM
I use Linux and the malware authors will never be able to figure out Poettering's systemd-sshd functionality.
(Score: 3, Interesting) by FatPhil on Sunday February 13, @01:44PM (5 children)
I know I'm God, because every time I pray to him, I find I'm talking to myself.
(Score: 2) by Oakenshield on Sunday February 13, @10:53PM (3 children)
One of my servers is constantly getting hit with password guessers. Fail2ban only gets about 10% of them because it is so widely distributed; hardly more than two hits per IP each hour. I have password authentication disabled so they're wasting their effort, but still.
I did firewall off all the IP blocks on Linode since they seem to harbor more than their fair share of habitual password guessers.
(Score: 2) by FatPhil on Sunday February 13, @11:01PM (2 children)
The boxes I'm currently logged into have the following histories of banning, which seems like it's doing an OK job:
|- Total banned: 6390
|- Total banned: 43171
|- Total banned: 34859
`- Total banned: 6253
It's hard to know how good a job, because you can't see what they would be doing after you've banned them. I set the ban period to be pretty long, not the default - I think it's 3 fails for a 1 day ban, which cranks up the ratio of when they're not able to get through.
(Score: 0) by Anonymous Coward on Monday February 14, @12:25AM (1 child)
Why do all that extra work? Wireguard is stupid easy to set up and the automatic shit doesn't even have a chance.
(Score: 2) by FatPhil on Monday February 14, @05:46AM
(Score: 0) by Anonymous Coward on Monday February 14, @11:10PM
People who don't know the basics about security being responsible for their own security is one reason why our firewall filters bruting attempts and other attacks for them. Most attempts are so dumb that the equally dumb firewall rules take care of most with only a handful of false positives reported. If you use IPv6, listening only on your ULA addresses can make a big difference too.
(Score: 5, Informative) by McD on Sunday February 13, @01:58PM
This story is rattling around the echo chamber, and every instance is repeating:
Not entirely true. The worm also "creates a backdoor" on compromised hosts. It writes its own pubkey into .ssh/authorized_keys - as documented here:
https://github.com/guardicore/labs_campaigns/tree/master/FritzFrog [github.com]
So in at least some cases, the code does touch the disk.
That URL has the ssh pubkey that it writes. It also has a nice little shell script to look for the worm in memory.
(Score: 3, Interesting) by MIRV888 on Sunday February 13, @06:50PM (3 children)
I don't code. So I simply don't know if this is the kind of malicious software that is too complicated for some computer science major to do in his/ her dorm. Do programs of this complexity inherently mean large organizations or state level support?
(Score: 4, Informative) by stormreaver on Sunday February 13, @07:20PM
Although sophisticated, this type of software doesn't require anything even remotely close to nation state power. Its entire capability is founded on cracking passwords. The article doesn't specify zero-days or anything particularly advanced as an entry mechanism, or anything that isn't publicly available to any dedicated script-kiddie.
A few talented people working in concert (or one smart person with time to kill) could readily achieve all of this. Most of the core technology that founded Polaroid was created by one really smart guy, so impressive things can be done by someone with the right skill set (a very particular set of skills).
(Score: 0) by Anonymous Coward on Sunday February 13, @07:21PM
No. It's been rare for people with the skills to apply them to crime though - most can get substantially better pay with less stress by having a real job. Cryptocurrencies, tech industry hiring practices, and broader global connectivity are likely changing the calculus...
(Score: 0) by Anonymous Coward on Monday February 14, @06:31PM
Nah. Lot of the code already exists out there. It often doesn't take that much code to "destroy"/pwn.
Which is why accusations of "Bogeyman Government of the Day" being involved in various "hacking" stuff should always be taken with a dollop of salt. Just because some IPs are from a particular country doesn't mean that country's government is involved. For example I get lots of port scans from Digital Ocean IP ranges, doesn't necessarily mean the US Gov is trying to hack me.
BUT if there were fancy shiny UIs which some dumb Gov bureaucrat can use then yeah maybe some large organization or nation state is involved. Coz most hackers in mom's basement ain't gonna bother with coding some fancy UI catered for lusers. They'd actually prefer the command line stuff. Yeah if they need to pwn someone's phone and look at their screen they might need to pop up some window for the hacker to look at but it's just gonna be functional and not fancy.