Guardicore (a cloud and data center security company) has identified new malware high-tech, called "FritzFrog", which affects Linux-based servers. FritzFrog combines a worm that is spread through a brute force attack on servers with an open SSH port and components to build a decentralized botnet It works without control nodes and does not have a single point of failure.
According to investigators, the botnet already has around 500 nodes, including servers from several universities and a large railway company. The peculiarity of FritzFrog is that it keeps all data and executable code only in memory.
Changes to the disk boil down to just adding a new SSH key to the Authorized_keys file, which is then used to access the server.
System files remain unchanged, rendering the worm invisible to systems that verify the integrity of the checksum. The memory also contains dictionaries for brute force passwords and data for mining, which are synchronized between nodes using the P2P protocol.
Malicious components are camouflaged under the "ifconfig", "libexec", "php-fpm" and "nginx" processes.
Botnet nodes monitor the health of their neighbors, and in the event of a server restart or even an operating system reinstallation (if the modified authorized_keys file has been transferred to the new system), they reactivate malicious components on the host.
For communication, regular SSH is used: The malware also launches a local "netcat" that joins the localhost interface and listens for traffic on port 1234, which external nodes access through an SSH tunnel, using the allowed_keys key to connect.
Malware includes several modules that run on different threads:
- Cracker- Use raw passwords on attacked servers.
- CryptoComm + Parser- Organize an encrypted P2P connection.
- Cast Votes: it is a mechanism for the joint selection of target hosts for an attack.
- TargetFeed: get a list of nodes to attack from neighboring nodes.
- DeployMgmt: it is an implementation of a worm that spreads malicious code to a compromised server.
- owned- It is responsible for connecting to servers that are already running malicious code.
- Assemble- Assemble a file in memory from separately transferred blocks.
- antivir- A module to suppress competitor malware, detects and kills processes with the string "xmr" that consume CPU resources.
- Libexec: is a module for mining Monero cryptocurrencies.
The P2P protocol used in FritzFrog supports around 30 commands responsible for transferring data between nodes, starting scripts, transferring malware components, polling status, exchanging logs, starting a proxy, etc.
Information is transmitted through an encrypted channel standalone with serialization in JSON format. For encryption, AES asymmetric encryption and Base64 encoding are used. The DH (Diffie-Hellman) protocol is used for key exchange. To determine the state, the nodes constantly exchange ping requests.
All botnet nodes maintain a distributed database with information about attacked and compromised systems.
Attack targets are synchronized across the entire botnet- Each node attacks a separate target, that is, two different botnet nodes will not attack the same host.
Nodes they also collect and transmit local statistics to neighbors, such as free memory size, uptime, CPU load, and SSH login activity.
This information used to decide whether to start the mining process or use a node only to attack other systems (For example, mining does not start on loaded systems or systems with frequent administrator connections).
Los investigadores have proposed a simple shell script to identify FritzFrog.
To determine if the system is damaged, signs such as the presence of a listening connection on port 1234, the presence of a malicious key in the authorized keys (the same SSH key is installed on all nodes), and the presence of processes in execution "ifconfig", "libexec", "php-fpm" in memory and "nginx" that have no associated executables ("/ proc / / exe »pointing to a remote file).
The presence of traffic on network port 5555, which occurs when malware accesses a typical web.xmrpool.eu pool while mining the Monero cryptocurrency, can also serve as a signal.