An anonymous reader quotes a report from BleepingComputer: The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies that are used for malicious activity. The BADBOX botnet is commonly found on Chinese Android-based smart TVs, streaming boxes, projectors, tablets, and other Internet of Things (IoT) devices. "The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity," warns the FBI. These devices come preloaded with the BADBOX 2.0 malware botnet or become infected after installing firmware updates and through malicious Android applications that sneak onto Google Play and third-party app stores. "Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process," explains the FBI. "Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services4 known to be used for malicious activity." Once infected, the devices connect to the attacker's command and control (C2) servers, where they receive commands to execute on the compromised devices, such as [routing malicious traffic through residential IPs to obscure cybercriminal activity, performing background ad fraud to generate revenue, and launching credential-stuffing attacks using stolen login data]. Over the years, the malware botnet continued expanding until 2024, when Germany's cybersecurity agency disrupted the botnet in the country by sinkholing the communication between infected devices and the attacker's infrastructure, effectively rendering the malware useless. However, that did not stop the threat actors, with researchers saying they found the malware installed on 192,000 devices a week later. Even more concerning, the malware was found on more mainstream brands, like Yandex TVs and Hisense smartphones. Unfortunately, despite the previous disruption, the botnet continued to grow, with HUMAN's Satori Threat Intelligence stating that over 1 million consumer devices had become infected by March 2025. This new larger botnet is now being called BADBOX 2.0 to indicate a new tracking of the malware campaign. "This scheme impacted more than 1 million consumer devices. Devices connected to the BADBOX 2.0 operation included lower-price-point, 'off brand,' uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN. "The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices. All of these devices are manufactured in mainland China and shipped globally; indeed, HUMAN observed BADBOX 2.0-associated traffic from 222 countries and territories worldwide."

Read more of this story at Slashdot.

An anonymous reader quotes a report from BleepingComputer: Law enforcement authorities have dismantled a botnet that infected thousands of routers over the last 20 years to build two networks of residential proxies known as Anyproxy and 5socks. The U.S. Justice Department also indicted three Russian nationals (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin) and a Kazakhstani (Dmitriy Rubtsov) for their involvement in operating, maintaining, and profiting from these two illegal services. During this joint action dubbed 'Operation Moonlander,' U.S. authorities worked with prosecutors and investigators from the Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police, as well as analysts with Lumen Technologies' Black Lotus Labs. Court documents show that the now-dismantled botnet infected older wireless internet routers worldwide with malware since at least 2004, allowing unauthorized access to compromised devices to be sold as proxy servers on Anyproxy.net and 5socks.net. The two domains were managed by a Virginia-based company and hosted on servers globally. On Wednesday, the FBI also issued a flash advisory (PDF) and a public service announcement warning that this botnet was targeting patch end-of-life (EoL) routers with a variant of the TheMoon malware. The FBI warned that the attackers are installing proxies later used to evade detection during cybercrime-for-hire activities, cryptocurrency theft attacks, and other illegal operations. The list of devices commonly targeted by the botnet includes Linksys and Cisco router models, including: - Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550 - Linksys WRT320N, WRT310N, WRT610N - Cisco M10 and Cradlepoint E100 "The botnet controllers require cryptocurrency for payment. Users are allowed to connect directly with proxies using no authentication, which, as documented in previous cases, can lead to a broad spectrum of malicious actors gaining free access," Black Lotus Labs said. "Given the source range, only around 10% are detected as malicious in popular tools such as VirusTotal, meaning they consistently avoid network monitoring tools with a high degree of success. Proxies such as this are designed to help conceal a range of illicit pursuits including ad fraud, DDoS attacks, brute forcing, or exploiting victim's data."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: A technique that hostile nation-states and financially motivated ransomware groups are using to hide their operations poses a threat to critical infrastructure and national security, the National Security Agency has warned. The technique is known as fast flux. It allows decentralized networks operated by threat actors to hide their infrastructure and survive takedown attempts that would otherwise succeed. Fast flux works by cycling through a range of IP addresses and domain names that these botnets use to connect to the Internet. In some cases, IPs and domain names change every day or two; in other cases, they change almost hourly. The constant flux complicates the task of isolating the true origin of the infrastructure. It also provides redundancy. By the time defenders block one address or domain, new ones have already been assigned. "This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection," the NSA, FBI, and their counterparts from Canada, Australia, and New Zealand warned Thursday. "Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations." There are two variations of fast flux described in the advisory: single flux and double flux. Single flux involves mapping a single domain to a rotating pool of IP addresses using DNS A (IPv4) or AAAA (IPv6) records. This constant cycling makes it difficult for defenders to track or block the associated malicious servers since the addresses change frequently, yet the domain name remains consistent. Double flux takes this a step further by also rotating the DNS name servers themselves. In addition to changing the IP addresses of the domain, it cycles through the name servers using NS (Name Server) and CNAME (Canonical Name) records. This adds an additional layer of obfuscation and resilience, complicating takedown efforts. "A key means for achieving this is the use of Wildcard DNS records," notes Ars. "These records define zones within the Domain Name System, which map domains to IP addresses. The wildcards cause DNS lookups for subdomains that do not exist, specifically by tying MX (mail exchange) records used to designate mail servers. The result is the assignment of an attacker IP to a subdomain such as malicious.example.com, even though it doesn't exist." Both methods typically rely on large botnets of compromised devices acting as proxies, making it challenging for defenders to trace or disrupt the malicious activity.

Read more of this story at Slashdot.

Ars Technica's Dan Goodin reports: Five years ago, researchers made a grim discovery -- a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads. Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible. [...] The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads -- known as Max Browser -- was also infected. That app is no longer available in Google Play. The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.

Read more of this story at Slashdot.

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Department of the Treasury today unveiled sanctions against three Chinese nationals for allegedly operating 911 S5, an online anonymity service that for many years was the easiest and cheapest way to route one's Web traffic through malware-infected computers around the globe. KrebsOnSecurity identified one of the three men in a July 2022 investigation into 911 S5, which was massively hacked and then closed ten days later. From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as "proxies" that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe -- but predominantly in the United States. 911 built its proxy network mainly by offering "free" virtual private networking (VPN) services. 911's VPN performed largely as advertised for the user -- allowing them to surf the web anonymously -- but it also quietly turned the user's computer into a traffic relay for paying 911 S5 customers. 911 S5's reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that "last mile" of cybercrime. Namely, the ability to route one's malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied. In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found the people operating this business had a history of encouraging the installation of their proxy malware by any means available. That included paying affiliates to distribute their proxy software by secretly bundling it with other software. That story named Yunhe Wang from Beijing as the apparent owner or manager of the 911 S5 proxy service. In today's Treasury action, Mr. Wang was named as the primary administrator of the botnet that powered 911 S5. Update, May 29, 12:26 p.m. ET: The U.S. Department of Justice (DOJ) just announced they have arrested Wang in connection with the 911 S5 botnet. The DOJ says 911 S5 customers have stolen billions of dollars from financial institutions, credit card issuers, and federal lending programs. [...] The third man sanctioned is Yanni Zheng, a Chinese national the U.S. Treasury says acted as an attorney for Wang and his firm -- Spicy Code Company Limited -- and helped to launder proceeds from the business into real estate holdings. Spicy Code Company was also sanctioned, as well as Wang-controlled properties Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited. "911 S5 customers allegedly targeted certain pandemic relief programs," a DOJ statement on the arrest reads. "For example, the United States estimates that 560,000 fraudulent unemployment insurance claims originated from compromised IP addresses, resulting in a confirmed fraudulent loss exceeding $5.9 billion. Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5. Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5." "Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang," the document continues. "These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Miscreants are actively exploiting two new zero-day vulnerabilities to wrangle routers and video recorders into a hostile botnet used in distributed denial-of-service attacks, researchers from networking firm Akamai said Thursday. Both of the vulnerabilities, which were previously unknown to their manufacturers and to the security research community at large, allow for the remote execution of malicious code when the affected devices use default administrative credentials, according to an Akamai post. Unknown attackers have been exploiting the zero-days to compromise the devices so they can be infected with Mirai, a potent piece of open source software that makes routers, cameras, and other types of Internet of Things devices part of a botnet that's capable of waging DDoSes of previously unimaginable sizes. Akamai researchers said one of the zero-days under attack resides in one or more models of network video recorders. The other zero-day resides in an "outlet-based wireless LAN router built for hotels and residential applications." The router is sold by a Japan-based manufacturer, which "produces multiple switches and routers." The router feature being exploited is "a very common one," and the researchers can't rule out the possibility it's being exploited in multiple router models sold by the manufacturer. Akamai said it has reported the vulnerabilities to both manufacturers, and that one of them has provided assurances security patches will be released next month. Akamai said it wasn't identifying the specific devices or the manufacturers until fixes are in place to prevent the zero-days from being more widely exploited. The Akamai post provides a host of file hashes and IP and domain addresses being used in the attacks. Owners of network video cameras and routers can use this information to see if devices on their networks have been targeted. [...] In an email, Akamai researcher Larry Cashdollar wrote: "The devices don't typically allow code execution through the management interface. This is why getting RCE through command injection is needed. Because the attacker needs to authenticate first they have to know some login credentials that will work. If the devices are using easy guessable logins like admin:password or admin:password1 those could be at risk too if someone expands the list of credentials to try." He said that both manufacturers have been notified, but only one of them has so far committed to releasing a patch, which is expected next month. The status of a fix from the second manufacturer is currently unknown. Cashdollar said an incomplete Internet scan showed there are at least 7,000 vulnerable devices. The actual number of affected devices may be higher.

Read more of this story at Slashdot.

The Cyber Police Department of the National Police of Ukraine dismantled another massive bot farm, seizing computer equipment, mobile phones, and roughly 150,000 SIM cards of multiple mobile operators. BleepingComputer reports: The bots were used to push Russian propaganda justifying Russia's war in Ukraine, to disseminate illegal content and personal information, and in various other fraudulent activities. In a joint operation, the cyber police and units of the Ukrainian National Police executed 21 search operations in Vinnytsia, Zaporizhzhia, and Lvivand. "The cyber police established that the attackers used special equipment and software to register thousands of bot accounts in various social networks and subsequently launch advertisements that violated the norms and legislation of Ukraine," a cyber police press release reads [machine translation]. "In addition to spreading hostile propaganda, the accounts were also used for unauthorized distribution of personal data of Ukrainian citizens on the Internet, in Internet fraud schemes, and for sending known false messages about threats to citizens' safety, destruction or damage to property." Cyber police in Ukraine have busted several pro-Russian bot farms in the last year, including one last month called "Botoferma" and another one late last year that was working for the Russian secret services. Ukraine also traced a Russian propaganda operation to a bot farm that was secretly operating in the country's own capital of Kyiv last August. "The farm operated more than 1 million bot accounts, which helped the propaganda operation build an audience of over 400,000 users on social media," reports PCMag.

Read more of this story at Slashdot.

ZDNet is warning that Linux users need to watch out for "a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device's memory." The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks. But rather than stealing intellectual property from these educational institutions, the Panchan botnet is using their Linux servers to mine cryptocurrency, according to Akamai... "Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network...." Akamai found 209 peers, but only 40 of them are currently active and they were mostly located in Asia. And why is the education sector more impacted by Panchan? Akamai guesses this could be because of poor password hygiene, or that the malware moves across the network with stolen SSH keys. Akamai writes that the malware "catches Linux termination signals (specifically SIGTERM — 0xF and SIGINT — 0x2) that are sent to it, and ignores them. "This makes it harder to terminate the malware, but not impossible, since SIGKILL isn't handled (because it isn't possible, according to the POSIX standard, page 313)."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Techinca: It's not the kind of security discovery that happens often. A previously unknown hacker group used a novel backdoor, top-notch tradecraft, and software engineering to create an espionage botnet that was largely invisible in many victim networks. The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims' networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including: - The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don't support antivirus or endpoint detection. This makes detection through traditional means difficult. - Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device. - A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible. - An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol. The SOCKS tunnel allowed the hackers to effectively connect their control servers to a victim's network where they could then execute tools without leaving traces on any of the victims' computers. A secondary backdoor provided an alternate means of access to infected networks. It was based on a version of the legitimate reGeorg webshell that had been heavily obfuscated to make detection harder. The threat actor used it in the event the primary backdoor stopped working. [...] One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system. Eventually, Quietexit executes its final objective: accessing email accounts of executives and IT personnel in hopes of obtaining documents related to things like corporate development, mergers and acquisitions, and large financial transactions. "Unpacking this threat group is difficult," says Ars' Dan Goodin. "From outward appearances, their focus on corporate transactions suggests a financial interest. But UNC3524's high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more."

Read more of this story at Slashdot.

The Federal Bureau of Investigation has disclosed it carried out an operation in March to mass-remove malware from thousands of compromised routers that formed a massive botnet controlled by Russian intelligence. From a report: The operation was authorized by courts in California and Pennsylvania, allowing the FBI to copy and remove the so-called Cyclops Blink malware from infected Asus and WatchGuard routers across the U.S., severing the devices from the servers that remotely control and send instructions to the wider botnet. The Justice Department announced the March operation on Wednesday, describing it as "successful," but warned that device owners should still take immediate action to prevent reinfection. The Justice Department said that since the news first emerged about the rising threat of Cyclops Blink in February, thousands of compromised devices have been secured, but justified the court-ordered operation because the "majority" of infected devices were still compromised just weeks later in mid-March. Cyclops Blink is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security researchers in 2018 and later targeted by a U.S. government operation to disrupt its command and control servers. Both Cyclops Blink and VPNFilter are attributed to Sandworm, a group of hackers working for Russia's GRU, the country's military intelligence unit.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Record: The Emotet malware botnet is back up and running once again almost ten months after an international law enforcement operation took down its command and control servers earlier this year in January. The comeback is surprising because after taking over Emotet's server infrastructure, law enforcement officials also orchestrated a mass-uninstall of the malware from all infected computers on April 25, effectively wiping out the entire botnet across the internet. [O]ver the weekend, security researcher Luca Ebach said he spotted that another malware botnet named TrickBot was helping the Emotet gang get back on its feet by installing the Emotet malware on systems that had been previously infected with TrickBot. "We used to call this Operation ReachAround back when Emotet was dropped by Trickbot in the past," a spokesperson for Cryptolaemus, a group of security researchers who tracked Emotet in the past, told The Record today. [...] Cryptolaemus said that right now, the Emotet gang is not sending out any new email spam but relying on the TrickBot gang to help them create an initial footprint of their new botnet incarnation before ramping up spam operations again. But if Emotet's comeback will succeed remains to be seen. It would be very hard for Emotet to reach its previous size any time in the coming months; however, the malware strain itself remains a very sophisticated and capable threat that shouldn't be ignored.

Read more of this story at Slashdot.

"On Thursday evening, KrebsOnSecurity was the subject of a rather massive (and mercifully brief) distributed denial-of-service (DDoS) attack," the site reports. Citing a new blog post from DDoS protection firm Qrator Labs, Krebs writes that "The assault came from 'Meris,' the same new botnet behind record-shattering attacks against Russian search giant Yandex this week and internet infrastructure firm Cloudflare earlier this summer." A titanic and ongoing DDoS that hit Russian Internet search giant Yandex last week is estimated to have been launched by roughly 250,000 malware-infected devices globally, sending 21.8 million bogus requests-per-second. While last night's Meris attack on this site was far smaller than the recent Cloudflare DDoS, it was far larger than the Mirai DDoS attack in 2016 that held KrebsOnSecurity offline for nearly four days. The traffic deluge from Thursday's attack on this site was more than four times what Mirai threw at this site five years ago. This latest attack involved more than two million requests-per-second. By comparison, the 2016 Mirai DDoS generated approximately 450,000 requests-per-second. According to Qrator, which is working with Yandex on combating the attack, Meris appears to be made up of Internet routers produced by MikroTik. Qrator says the United States is home to the most number of MikroTik routers that are potentially vulnerable to compromise by Meris — with more than 42 percent of the world's MikroTik systems connected to the Internet (followed by China — 18.9 percent- and a long tail of one- and two-percent countries). It's not immediately clear which security vulnerabilities led to these estimated 250,000 MikroTik routers getting hacked by Meris. "The spectrum of RouterOS versions we see across this botnet varies from years old to recent," the company wrote. "The largest share belongs to the version of firmware previous to the current stable one." Krebs writes that the biggest contributor to the IoT botnet problem remains "a plethora of companies white-labeling [cheap] IoT devices that were never designed with security in mind and are often shipped to the customer in default-insecure states... "The good news is that over the past five years, large Internet infrastructure companies like Akamai, Cloudflare and Google (which protects this site with its Project Shield initiative) have heavily invested in ramping up their ability to withstand these outsized attacks..." One year earlier, back in 2015, Krebs had answered questions from Slashdot's readers.

Read more of this story at Slashdot.

An anonymous reader quotes a report from ZDNet: Analysts from security firm Trend Micro said in a report today that they've spotted a malware botnet that collects and steals Docker and AWS credentials. Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms. Initial reports at the time said that TeamTNT was breaching container platforms by looking for Docker systems that were exposing their management API port online without a password. Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company's other IT systems to infect even more servers and deploy more crypto-miners. At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials. But in a report today, Trend Micro researchers said that the TeamTNT gang's malware code had received considerable updates since it was first spotted last summer. TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code. This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.

Read more of this story at Slashdot.

TrickBot survived an initial takedown attempt, but Microsoft and its partners are countering TrickBot operators after every move, taking down any new infrastructure the group is attempting to bring up online. From a report: Last week, a coalition of cyber-security firms led by Microsoft orchestrated a global takedown against TrickBot, one of today's largest malware botnets and cybercrime operations. Even if Microsoft brought down TrickBot infrastructure in the first few days, the botnet survived, and TrickBot operators brought new command and control (C&C) servers online in the hopes of continuing their cybercrime spree. But as several sources in the cyber-security industry told ZDNet last week, everyone expected TrickBot to fight back, and Microsoft promised to continue cracking down against the group in the weeks to come. In an update posted today on its takedown efforts, Microsoft confirmed a second wave of takedown actions against TrickBot. The OS maker said it has slowly chipped away at TrickBot infrastructure over the past week and has taken down 94% of the botnet's C&C servers, including the original servers and new ones brought online after the first takedown.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Wired: FritzFrog has been used to try and infiltrate government agencies, banks, telecom companies, and universities across the US and Europe. Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world. The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. Peer-to-peer (P2P) botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down. The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including: In-memory payloads that never touch the disks of infected servers; At least 20 versions of the software binary since January; A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines; The ability to backdoor infected servers; and A list of login credential combinations used to suss out weak login passwords that's more "extensive" than those in previously seen botnets. Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that's effective, difficult to detect, and resilient to takedowns. The new code base -- combined with rapidly evolving versions and payloads that run only in memory -- make it hard for antivirus and other end-point protection to detect the malware. The botnet has so far succeeded in infecting 500 servers belonging to "well-known universities in the US and Europe, and a railway company."Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a "malware server." (Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it's possible that the "malware server" is hosted on one of the infected machines, and not on a dedicated server. Guardicore Labs researchers weren't immediately available to clarify.)

Read more of this story at Slashdot.