Researchers from the security firm Guardicore Labs have found what is believed to be a previously undiscovered botnet with advanced features. They say it is targeting millions of servers globally. The botnet uses original proprietary software.

The purpose of the botnet is to infect servers and then control them using a peer-to-peer network. P2P botnets work by distributing themselves among many nodes, instead of relying on a central server to execute control or commands.

And they named it FritzFrog…

Ophir Harpazone, one of the researchers at Guradicore Labs wrote, “one of the most exciting things is that there was no apparent command and control server being connected to.’ After they looked at the botnet closely, they realized that there was no Command and Control (CNC) server. 

Guardicore has named the botnet FritzFrog. Some of the advanced features they found include:

  • In-memory payloads that ignore disks in infected servers
  • 20 different versions of the software binary since January, with possibly more to come
  • Focused infection of the secure shell servers used by admins to manage nodes in a network
  • An ability to create backdoors in already infected servers
  • Login credential combinations to circumvent situations where weak passwords are changed.

The FritzFrog is better than previously discovered botnets.

A work of art

From what the researchers can tell, someone poured a considerable amount of resources into building this botnet. The new code has versions and payloads that run only in memory and evolve quickly. With features like that, it is easy to see why malware detectors and antivirus software can’t detect FritzFrog.

After installation, the botnet can execute 30 commands, including running scripts and downloading logs, databases, and files. Before the infected machines can reboot, the botnet installs public encryption keys in the system’s authorized keys file. Many servers may be infected globally.