{"id":2030,"date":"2022-02-18T19:03:30","date_gmt":"2022-02-19T02:03:30","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=2030"},"modified":"2022-02-18T20:01:07","modified_gmt":"2022-02-19T03:01:07","slug":"the-p2p-botnet-fritzfrog","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/02\/18\/the-p2p-botnet-fritzfrog\/","title":{"rendered":"The P2P Botnet: FritzFrog"},"content":{"rendered":"\n
\"\"
Fig 1. Lexo Salazar. Photo of Green Frog on Leaf<\/em>, 2016, Pexels, www.pexels.com\/photo\/photo-of-green-frog-on-leaf-1370740\/<\/a>.<\/figcaption><\/figure><\/div>\n\n\n\n

Preamble<\/h2>\n\n\n\n

To start off, I believe that some definitions are in order, as understanding some of the concepts FritzFrog utilizes helps paint the picture of what exactly it does. Firstly, P2P is the short form of peer-to-peer; which refers to a type of network, where two or more systems are connected (Computerworld<\/a>). Peers on a peer-to-peer network, can communicate with each other; more explicitly, they can transfer and relay data to and from one another (Oxford<\/a>). Botnet bears a similar meaning, in the sense that it is a type of network of systems (Trend Micro<\/a>). However, each system in a botnet is infected to some degree, and any of these infected systems can be become the point of control for the attacker (Trend Micro<\/a>). A P2P botnet is the amalgamation of these two concepts. It is a network of intertwined systems that can communicate between each other, and any one of them can become the point of control without the need for an overlying control point. From this, we can see why it’s called the FritzFrog, as much like a frog, control can jump from place to place. Additionally, we can begin to understand how it is still in circulation, as the removal of it from one system, doesn’t effect it as a whole, and finding the location of the current commander is not impossible, but rather complicated. Not to mention the developers of it are able to adapt it as time progresses, to help it remain undetected. <\/p>\n\n\n\n

What does FritzFrog do?<\/h2>\n\n\n\n

FritzFrog attempts to connect to SSH servers, and if it can connect, it drops payloads onto said system; it also adds its own SSH key to the list of keys (Guardicore<\/a>). One of the main things installed on these systems is something known as a netcat<\/a> client. This (unfortunately) is not a virtual cat for the infected user to enjoy, but rather it takes whatever it has seen in the terminal, and sends it to the FritzFrog server. In addition to this, it attempts to run a Monero<\/a> cryptominer (The Hacker News<\/a>). This is what can be assumed to be FritzFrog’s main goal, as Monero<\/a> is a decentralized, and untraceable currency. Switching topics, in FritzFrog’s inception it used brute force to infect a total of 500 systems, and is currently infecting 500 per day as of January 2022 as per The Hacker News’ article<\/a>. According to Guardicore<\/a>, it used to mask itself as ifconfig, and nginx (which are common Linux software\/tools), but now it has changed slightly, and tries to appear as apache2, and php-fpm. It is quite clear that it aims itself to infect servers running Linux, as they often have a reasonable amount of computing power due to numerous machines attached. The earlier mention of it creating a SSH key, now becomes relevant once again as we begin to talk about why it is so tricky to detect. In order to evade detection it utilizes SSH to connect to hosts (as previously mentioned), it is fileless (which is why it needs\/wants its SSH key on the system), and it uses a proprietary P2P protocol (Guardicore<\/a>). The evolution does not stop at changing what mask it wears on systems, as it has also implemented a secure copy protocol feature, and it can even detect high-end machines (The Hacker News<\/a>). This, quite blatantly, adds more backing to the fact that its sole-purpose is to mine cryptocurrency, rather than to steal information or destroy systems. It seems to be hard to detect, but Guardicore<\/a> has provided a script<\/a> to aid in the detection of this malware.<\/p>\n\n\n\n

Who is it attacking?<\/h2>\n\n\n\n
\"\"
Fig 2. Guardicore. Map of infected systems, www.guardicore.com\/labs\/fritzfrog-a-new-generation-of-peer-to-peer-botnets\/<\/a>.<\/figcaption><\/figure><\/div>\n\n\n\n

Currently, the aim seems to be large scale entities, rather than small ones. There have been many universities, colleges, healthcare institutions, and others attacked so far (The Hacker News<\/a>, Guardicore<\/a>). A disproportionate amount of the infected systems are in China, but other countries such as the United States, and Russia have been also been successfully attacked (The Hacker News<\/a>). Most likely it inadvertently attacks large institutions (especially universities and colleges), as they normally use SSH, and Linux systems for their servers. Considering it masks itself as common Linux software, adds some sort of proof to this claim. It may also potentially attempt to target individual systems, but this remains to be seen on a large scale. In general though, it seems that it attacks whoever and wherever it can, showing no remorse for any system (unless of course, it can’t be used to mine crypto).<\/p>\n\n\n\n

Conclusion<\/h2>\n\n\n\n

FritzFrog is a dangerous malware, and its aim is to mine cryptocurrency on infected machines. The developers are highly skilled, and the P2P botnet’s progress, from inception to now, are proof of this. It inadvertently attacks large scale institutions, and can easily detect systems that are capable of mining crypto. In times like these, we must have trust in the SSH servers we connect to. <\/p>\n\n\n\n

Citations<\/h2>\n\n\n\n

<\/p>\n\n\n\n