The U.S. Department of Justice has announced the disruption of the Russian RSocks malware botnet used to hijack millions of computers, Android smartphones, and IoT (Internet of Things) devices worldwide for use as proxy servers.
The law enforcement operation involved the FBI and police forces in Germany, the Netherlands, and the United Kingdom, where the botnet maintained parts of its infrastructure.
As alleged in the unsealed warrant, FBI investigators used undercover purchases to obtain access to the RSOCKS botnet in order to identify its backend infrastructure and its victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices throughout the world with numerous devices located within San Diego County. Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks. The RSOCKS backend servers maintained a persistent connection to the compromised device. Several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals. At three of the victim locations, with consent, investigators replaced the compromised devices with government-controlled computers (i.e., honeypots), and all three were subsequently compromised by RSOCKS. The FBI identified at least six victims in San Diego.
Elizabeth Wharton, VP, Operations for SCYTHE had this comment:
Using these devices as proxy servers is another example of how threat actors weaponize internet connected devices to evade detection. For example, by using the device as a proxy server to create a local IP address, the malicious activity will likely go undetected because it doesn’t trigger an alert. Organizations should consider placing stronger external IP address restrictions to mitigate risk.
While this takedown of Rocks is a good thing, one has to wonder how many other similar botnets are out there. That is a cause for concern.