Last week a group of researchers announced that Grum which was the third largest botnet on the planet had been taken down by blocking the botnet’s command and control servers in both the Netherlands and Panama. What does this mean for you? It means that 18% – as much as 50% of the world’s spam volume has just disappeared.
Excellent!
However the people who run this botnet were able to briefly bring it back up before it was shut down again. It’s likely not to stay down, though bringing it back may be a problem:
“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” said Atif Mushtaq, a computer security specialist at FireEye.”They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”
So this is a win. But it may only be a short lived one before the mayhem starts again. So enjoy the reprieve from spam while it lasts.
Russian RSocks Botnet Disrupted After Hacking Millions Of Devices
Posted in Commentary with tags Botnet on June 18, 2022 by itnerdThe U.S. Department of Justice has announced the disruption of the Russian RSocks malware botnet used to hijack millions of computers, Android smartphones, and IoT (Internet of Things) devices worldwide for use as proxy servers.
The law enforcement operation involved the FBI and police forces in Germany, the Netherlands, and the United Kingdom, where the botnet maintained parts of its infrastructure.
As alleged in the unsealed warrant, FBI investigators used undercover purchases to obtain access to the RSOCKS botnet in order to identify its backend infrastructure and its victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices throughout the world with numerous devices located within San Diego County. Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks. The RSOCKS backend servers maintained a persistent connection to the compromised device. Several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals. At three of the victim locations, with consent, investigators replaced the compromised devices with government-controlled computers (i.e., honeypots), and all three were subsequently compromised by RSOCKS. The FBI identified at least six victims in San Diego.
Elizabeth Wharton, VP, Operations for SCYTHE had this comment:
Using these devices as proxy servers is another example of how threat actors weaponize internet connected devices to evade detection. For example, by using the device as a proxy server to create a local IP address, the malicious activity will likely go undetected because it doesn’t trigger an alert. Organizations should consider placing stronger external IP address restrictions to mitigate risk.
While this takedown of Rocks is a good thing, one has to wonder how many other similar botnets are out there. That is a cause for concern.
Leave a comment »