FritzFrog ! Kind of bots without C2C

The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network.

Peer-to-peer (P2P) botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down. No CNC in place it’s a surprise

The botnet, has a host of other advanced features, including:

In-memory payloads that never touch the disks of infected servers

At least 20 versions of the software binary since January

A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines

The ability to backdoor infected servers
A list of login credential combinations used to suss out weak login passwords that’s more “extensive” than those in previously seen botnets


Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that’s effective, difficult to detect, and resilient to takedowns. The new code base—combined with rapidly evolving versions and payloads that run only in memory—make it hard for antivirus and other end-point protection to detect the malware.

The peer-to-peer design makes it difficult for researchers or law enforcement to shut down the operation. The typical means of takedown is to seize control of the command-and-control server. With servers infected with FritzFrog exercising decentralized control of each other, this traditional measure doesn’t work. Peer-to-peer also makes it impossible to sift through control servers and domains for clues about the attackers.

Bot as of now infected handful number of victims.

Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a “malware server.” (Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it’s possible that the “malware server” is hosted on one of the infected machines, and not on a dedicated server.

To infiltrate and analyze the botnet, the researchers developed a program that exchanges encryption keys the botnet uses to send commands and receive data.

Before infected machines reboot, FritzFrog installs a public encryption key to the server’s “authorized_keys” file. The certificate acts as a backdoor in the event the weak password gets changed.

The takeaway from findings is that administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect. The report has a link to indicators of compromise and a program that can spot infected machines.