Recently, a peer-to-peer botnet known as FritzFrog has made waves in the technology realm, with researchers saying it has been aggressively breaching SSH servers—pieces of software found in routers and IoT devices—for the last 8 months.

As per technology experts, FritzFrog spreads as a worm, brute-forcing credentials at institutions like government offices, educational institutions, medical centers, banks and telecom companies. The botnet has striven to affect tens of millions of machines thus far, and has effectively breached more than 500 servers. Renowned universities in the U.S. and Europe, and a railway company are the most prominent victims.

Being a P2P botnet, FritzFrog has greater pliability than other types of botnets since control is devolved and spread among all nodes.

Guardicore researcher Ophir Harpaz said: “FritzFrog is completely proprietary; its P2P implementation was written from scratch, teaching us that the attackers are highly professional software developers,” adding “the P2P protocol is completely proprietary, relying on no known P2P protocols such as μTP.”

With regard to the other technical details, Guardicore examined the botnet by inserting its own nodes into the mix, enabling the researchers to participate in the continuing P2P traffic and see how it was built.

They found that nearly everything about FritzFrog is unique when compared with past P2P botnets. Moreover, its fileless payload is rare. Harpaz wrote that files are shared over the network to both taint new machines and run new spiteful payloads on affected ones.

“When a node A wishes to receive a file from its peer, node B, it can query node B which blobs it owns using the command getblobstats,” according to the researcher. “Then, node A can get a specific blob by its hash, either by the P2P command getbin or over HTTP, with the URL http://:1234/. When node A has all the needed blobs – it assembles the file using a special module named Assemble and runs it.”

Meanwhile, the botnet regularly updates itself with databases of targets and penetrated machines as it worms through the internet.

“Nodes in the FritzFrog network keep in close contact with each other,” Harpaz noted. “They constantly ping each other to verify connectivity, exchange peers and targets and keep each other synced. The nodes participate in a clever vote-casting process, which appears to affect the distribution of brute-force targets across the network. Guardicore Labs observed that targets are evenly distributed, such that no two nodes in the network attempt to ‘crack’ the same target machine.”

Harpaz noted that, in total, FritzFrog is cutting-edge, but there’s a simple way to deflect a compromise: “Weak passwords are the immediate enabler of FritzFrog’s attacks,” she said. “We recommend choosing strong passwords and using public key authentication, which is much safer.”


Leave a Reply

Your email address will not be published. Required fields are marked *