Cops Hijack Botnet, Remotely Wipe Malware From 850,000 Computers

French police, with help from an antivirus firm, took control of a server that was used by cybercriminals to spread a worm programmed to mine cryptocurrency from more than 850,000 computers. Once in control of the server, the police remotely removed the malware from those computers. Motherboard reports: Antivirus firm Avast, which helped France's National Gendarmerie cybercrime center, announced the operation on Wednesday. Avast said that they found that the command and control server, which was located in France, had a design flaw in its protocol that made it possible to remove the malware without "making the victims execute any extra code," as the company explained in its lengthy report.

Cybersecurity firms such as Avast, as well as Trend Micro, had been tracking the worm, called Retadup, since last spring. Most of the infected computers were used by the malware authors to mine the cryptocurrency Monero, but in some cases it was also used to push ransomware and password-stealing malware, according to Avast. As the antivirus firm reported, most Retadup victims were in South America, with Peru, Venezuela, Bolivia and Mexico at the top of the list.

Awesome

[JustAnotherOldGuy]

We need to hear more stories like this. Kudos to the French police!

Re:

[AHuxley]

They should have kept it a secret for a while.
Looked all over France for active malware use for a few years.
Then announced a decade later that as part of "anti cybercrime actions" a lot of files got found.
Files that had a FBI/charity/NGO/international checksum that the antivirus sweep "found" as part of detection.
The cyber police could have upgraded the antivirus software with every file that has ever been of interest to police/part of an investigation.
Full van roll and over time for all as everyone

Re:

[JustAnotherOldGuy]

upgraded everyone to Linux.

Now where would be the sport in that?

Linux may not be the end-all, be-all cure for malware, but imagine if Linux was the default OS instead of easy-to-infect Windows...imagine a world mostly free of malware and viruses.

Re:

[stealth_finger]

imagine if Linux was the default OS instead of easy-to-infect Windows...imagine a world mostly free of malware and viruses.

Yeah, the majority of malware would be written to infect/target it. You think it would hold up if it was the default? I doubt it very much. Security through obscurity.

Re:THe should have

[syn3rg]

Yeah, the majority of malware would be written to infect/target it. You think it would hold up if it was the default? I doubt it very much.

The majority of publicly-addressed, Internet-facing computers are already Linux [makeuseof.com]. And believe me, those are attacked every second of every minute of every day.

Security through obscurity.

I can't believe you assigning that appellation to Linux: the entire code base of any Linux distro is available for anyone to see, unlike Microsoft who obscures theirs. The reason malware & viruses are prevalent in Windows is due to the original design decision of having local users with administrative rights (vs non-privileged users in Linux). Malware and viruses don't install themselves.

Re:

[stealth_finger]

Fair points, well made. I was thinking purely desktop.

Re:

[JustAnotherOldGuy]

Yeah, the majority of malware would be written to infect/target it.

And we'd still be in far better shape than we are today.

Connect a Windows PC to the net without a firewall or anti-virus and *boom*, you're infected. Not so much on a Linux box.

No, Linux isn't bulletproof (and I never said it was) but it's far more secure by design. There's no question that we'd be better off in terms of botnets and zombie PCs.

Re:

[pgmrdlm]

You quite obviously wear blinders when it comes to your favorite Operating System. https://arstechnica.com/information-technology/2019/08/the-year-long-rash-of-supply-chain-attacks-against-open-source-is-getting-worse/ [arstechnica.com]

Re:

[DrMrLordX]

A pity that anyone has to link Ars. They have a stench about them now.

That aside, is that really the fault of the Linux OS itself? Seems like people are pwning dev machines and/or software repos to deliver malware. If you compile from untainted source then you're okay.

Re:

[pgmrdlm]

I actually am a huge fan of open source and Linux. I just get tired of people thinking it is the cure all, and that they never can be corrupted. I am not sure I would trust any source other then the authors machine. But, I wasn't trying to ridicule. Just pointing out that nothing is safe. And the more people that use any given software, the more it will be targeted and weakness's found.

Re:

[JustAnotherOldGuy]

I actually am a huge fan of open source and Linux. I just get tired of people thinking it is the cure all, and that they never can be corrupted.

For the record, I never that or anything like it.

I said "imagine a world mostly free of malware and viruses", and I maintain that we'd be a lot closer to that state today if Linux was the default OS.

Re:

[JustAnotherOldGuy]

You quite obviously wear blinders when it comes to your favorite Operating System. https://arstechnica.com/information-technology/2019/08/the-year-long-rash-of-supply-chain-attacks-against-open-source-is-getting-worse/ [arstechnica.com]

If I give you a poisoned beer and you drink it and die, does that mean that beer is bad? No, you're conflating two things that are separate.

Supply chain attacks are not the same thing as the operating system itself being vulnerable by design, as every version of Windows has been.

Every version of Windows has been touted as "the most secure version of Windows yet", and while that may be technically true, the fact is that Windows is notoriously easy to infect or compromise compared to Linux.

Re:

[notdecnet]

“We need to hear more stories like this. Kudos to the French police!”

Yet another PR stunt by the MICROS~1 publicity department. The real story being that with up-to-date anti virus software and fully patched, 850,000 Microsoft Windows desktops still managed to get owned.

Re:

[CohibaVancouver]

The real story being that with up-to-date anti virus software and fully patched, 850,000 Microsoft Windows desktops still managed to get owned.

It's because fundamentally, Windows' greatest strength is its greatest weakness.

As a Windows user I can get a Win32 or Win64 executable from anywhere I want and Windows will run it. Depending on my settings (which I can turn off if I'm an admim) Windows may throw up some warnings, but fundamentally, windows is an open platform. Wanna run an executable in an a

Re:

[notdecnet]

“As a Windows user I can get a Win32 or Win64 executable from anywhere I want and Windows will run it.”

I can get an old version of any app to run on this Ubuntu desktop. The latest version will still run on older hardware, so you don't have to check if “Windows 10 is no longer supported on this PC.” ref [computerworld.com]. “windows is an open platform.”

Wha, only in the distorted meaning of the term that Microsoft invented.

“I don't have to get EXEs from an "app store." I don't

Inspector Clouseau for the win!

[The Snazster]

Heh.

What files get looked at?

[AHuxley]

As part of a French judicial investigation?

Every file on the computer before the remote malware action was done.
Every file on the computer after the remote malware action was done.

To ensure only the malware was gone and really all removed.
What did the French gov get to see?
Just the malware parts of the computers?
Is the Gendarmerie now expanding secret cyber investigations all over France?
Any networked computer in France is now open to approved direct action by the Gendarmerie as an anti cybercr

Re:

[Xenx]

I mean, what if some of those people WANTED that malware?! They just up and stole all those bits from them. Sure, it's sarcasm.... but it's also a slippery slope.

Re:

[gweihir]

It most decidedly is a slippery slope. Once the capability is firmly established, it will be extended and user for other, far less benign actions.

Re:

[AHuxley]

How many malware definitions per quick scan?
Wonder if any AV software they had on a computer sent up a report about access and system changes :)
The AV software may have not see the existing malware, but could have detected the direct France gov actions?
Will the International AV reports of France look different after gov action?
Did all other AV brands see and detect nothing? NSA style?

Re:

[AHuxley]

Why stop at one worm? Go looking for a list of 100 worms?
A free scan for every "open" computer network in France?

Re:

[stealth_finger]

I mean, what if some of those people WANTED that malware?!

Then they are complicit and should be on the hook for it?

Re:

[account_deleted]

Comment removed based on user account deletion

While I do applaud this action

[gweihir]

I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

Re:

[znrt]

I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

this, and given the fact that the only 100% reliable way to 'disinfect' any compromised device is resetting it to factory settings, i wonder what such a 'remote removal' procedure would accomplish. this malware must have been utterly trivial to even consider this as something worth trying. i hope they at least sent notifications to all affected too. this all sounds really weird.

Re:

[AHuxley]

Depends on what the 'remote removal' procedure was set to find and remove.
One quick scan for one worm? The "desktop" computer get a "full" scan while the gov was "in" that one side of the network?
Did the DGSE get to suggest looking for more "international" malware in use in France?
Did the NSA, GCHQ, FBI, CIA give France a list of other more interesting checksums as part of wider international cooperation?

Re:While I do applaud this action

[gweihir]

Even executing a single command on a computer without permission is a crime in many jurisdictions. It really does not matter what they did for that. Of course, they could have committed multiple additional crimes along the lines of your description.

Re:

[AHuxley]

Now we know AV is not always what it is expected to be on a users computer :)
Nobody expected the National Gendarmerie inside the wire.

Re:

[Aighearach]

given the fact that the only 100% reliable way to 'disinfect' any compromised device is resetting it to factory settings

These are "computers," not cell phones. And "factory settings" might be the least safe most computers ever are.

Re:

[znrt]

These are "computers," not cell phones.

i got that this is about computers, thanks, it's mentioned in the very first sentence of the article. "resetting to factory settings" here obviously means wiping the system's storage and reinstalling all software from trusted sources. sorry if that was poor wording for you but a minimal comprehension effort on your part would also be nice.

And "factory settings" might be the least safe most computers ever are.

and an elephant might be running in circles swinging the trunk at this very moment, no clue what you are trying to say with that. are you implying an already compromised c

Re:

[Aighearach]

These are "computers," not cell phones.

i got that this is about computers, thanks, it's mentioned in the very first sentence of the article. "resetting to factory settings" here obviously means wiping the system's storage and reinstalling all software from trusted sources. sorry if that was poor wording for you but a minimal comprehension effort on your part would also be nice.

And yet, no. Reinstalling the OS is an idiot thing Windows users do, and a freshly installed windows OS is not going to be well-protected. It takes a whole bunch of work to secure that sort of system.

I read your defense, I still think you're clueless about the situation. Then you went crazy, something about an elephant, but dude. I didn't say any of that shit, that you think I did just proves you don't know what I'm talking about. Probably ignorance of com-pu-ters but, maybe you're just generally stupid too

Re:

[znrt]

And yet, no. Reinstalling the OS is an idiot thing Windows users do, and a freshly installed windows OS is not going to be well-protected. It takes a whole bunch of work to secure that sort of system.

I read your defense, I still think you're clueless about the situation. Then you went crazy, something about an elephant, but dude. I didn't say any of that shit, that you think I did just proves you don't know what I'm talking about. Probably ignorance of com-pu-ters but, maybe you're just generally stupid too, I don't want to rule anything out. Something about an elephant.

are you aware that it's pretty trivial to have hardened os images ready that can be restored in a blink, and that backups exist?

once a system is compromised you can't really trust it anymore except in the most trivial cases. it is pretty hard to figure out how deep the intrusion has gone. every sane security expert or sysadmin will prescribe a prompt reinstall (probably after quarantine and research). home users can be fine with their flashy antivirus swearing in nice colored fonts that the threat has been

Re:

[cyberchondriac]

Factory reset computers are sorely lacking in the months or years of acquired security updates as well as the system configuration to secure it, like (in Windows) having Remote Registry enabled in services or Cortana , among many other things. And slightly older systems before Defender was part of Windows, if we're talking about Windows, had no factory installed anti-virus. But even with other OSes, the lack of updates is problem enough.

Re:

[JaredOfEuropa]

given the fact that the only 100% reliable way to 'disinfect' any compromised device is resetting it to factory settings

Sounds like killing the patient to prevent the spread of an infectious disease. A factory reset is only necessary if you have no idea what you are dealing with. In this case, they probably had a very good idea of the nature of the payload, and were able to disable it without such drastic measures.

Re:

[_merlin]

You appear to have it backwards. In common law systems (UK, US, Australia, etc.) judgements in court by judges or juries create law. In federal law systems (France, Germany, etc.) judgements in court do not create law.

Re:

[AHuxley]

While the "what is a law" "what is an investigation" part is getting thought about,
cyber experts can go on scanning (French, EU) computers for worms and anything else they feel the need to detect :)

Re:

[djembe2k]

Case Law, Definition from Nolo’s Plain-English Law Dictionary: The law based on judicial opinions (including decisions that interpret statutes), as opposed to law based on statutes, regulations, or other sources. Also refers to the collection of reported judicial decisions within a particular jurisdiction dealing with a specific issue or topic.

Re:

[AHuxley]

In France the National Gendarmerie can enter the users computer as needed.
Not needing to care who finds out AC.

In the USA the NSA had to use methods like PRISM.
Trying to stay hidden from experts for as many years as possible.
In the USA you are protected from the gov.
In France a person has to prove they are no longer of interest to an investigation.
An investigation starts with the guilty person getting reported in France.

Re:

[PolygamousRanchKid]

I am wondering how this can be legal.

Oh, that's easy. If the police do this, it is a priori legal.

If you or I did this . . . it would be illegal.

Re:

[gweihir]

That is probably what they want everybody to believe. But there are still some nations that are not police states (yet). In addition, this was the _French_ police. Whatever they do in, say, the US, the UK or some other (proto-) police states, is very much not legal there unless they have special permissions from the local police.

Re:

[Ol Olsoc]

I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

Microsoft does all the time: https://answers.microsoft.com/... [microsoft.com]

Re:

[gweihir]

I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

Microsoft does all the time: https://answers.microsoft.com/... [microsoft.com]

Microsoft has informed every user about this and has permission via the TOU. The French police has just as much right to do anything like that outside of France as you or me.

Re:

[Ol Olsoc]

I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

Microsoft does all the time: https://answers.microsoft.com/... [microsoft.com]

Microsoft has informed every user about this and has permission via the TOU. The French police has just as much right to do anything like that outside of France as you or me.

I'm not certain - where's the part where you approve of Microsoft deleting all of your files? And what kind of idiot would approve of them deleting all of their files?

Re:

[gweihir]

I'm not certain - where's the part where you approve of Microsoft deleting all of your files? And what kind of idiot would approve of them deleting all of their files?

The deleting is an accident. These do happen. Unless there is gross negligence (good luck proving that, all of MS is basically gross negligence...), what MS has by the TOU and your acceptance of them is permission access your computer and to change files for the purpose of updates and security fixes.

Re:

[drinkypoo]

I'm not sure that's true. A parallel could be drawn to litter. Or to a foreign object in the body. If you get shot and are unconscious, the medical professionals will go ahead and take the bullet out of your body, without even asking! How rude!

On the other hand, if they did any damage while they were in there, you could sue.

Re:

[gweihir]

Emergency powers like these are created by specific laws. Yes, medical professionals have the right to make decisions in your best interest if you cannot. Anybody directly helping in an emergency has them. For example you may always legally drag somebody unconscious for a burning building and you may even hurt them to some degree in that process if it is unavoidable. But there are limits. If I have a DNR (Do Not Resuscitate) Order in place, then medical professionals are not allowed to save me, for example.

Re:

[John.Banister]

It's covered by the ELUA the malware installed with itself. After self installation of the agreement, each owner signified acceptance by clicking a mouse button at some later point in time.

Re:

[gweihir]

Excellent! That made me laugh pretty hard.

Re:

[twocows]

They probably committed crimes in multiple countries as a result of their actions. However, part of law enforcement is enforcement. The justice system doesn't go after every crime; many cases are simply dropped. In most of the places where these crimes happened, that's likely what will happen: the justice system will decide not to pursue it.

If any of these countries has a particular beef with France, they might think to use their legal system to retaliate, but many of these are smaller countries with not

Re:

[Whibla]

I accept that it is a bit of a grey area but I suspect their logic goes something like this:

They are not removing the 'software' without the owner's permission. The owner, or more specifically the relevant software on the owner's computer, connected to their (by virtue of force majeure) server and requested instructions. That the instructions now say "delete yourself" rather than "perform a DDOS on 192.168.0.1" is immaterial to the fact that the owner did, albeit blindly, make the request, and hence granted

Re:

[ScooterBill]

I'm pretty sure if someone came into my house and put a time bomb in my living room, the cops would come take it without asking me if it's ok. The damage from software "bombs" can be a lot worse than a real bomb.

Re:

[gweihir]

a) The real bomb is actually in the jurisdiction of the cops that will take it away (or more likely blow it up remotely, along with your living room)
b) Because of a) there are specific laws in existence that say they are allowed.

Did they only wipe the worm?

[mark-t]

Or did they wipe malware that enables remote execution in the first place?

Re:

[AHuxley]

If they are finding the control side too?
Wonder how many other French and EU AV brands got "asked"/"volunteered"/"had to" to support French/ wider EU police actions?

EU based AV brands doing the same for their police in the Czech Republic, Germany, Romania, Slovakia, Finland, Spain get asked to help?
Just for the French police when "asked"? A wider EU hunt for the control side?

I'm going to assume this story is accurate

[Miles_O'Toole]

Given that I'm accepting this story as a generally true and accurate account of what happened, I'm going to say this: I'm delighted that for once the police weren't just a bunch of low-brow, power-tripping thugs more interested in night-sticking non-violent environment activists than going up against violence-friendly, white supremacist skinheads. Brains and heart in the right place, and a minimum of violence. This is a good thing.

This is what law enforcement should be all about.

Re:

[Viol8]

Don't confuse police in europe with your trigger happy borderline paramilitary lot stateside thank you.

Re:

[Miles_O'Toole]

I'm from Canada, actually. Our police have gone down that road, but not quite so far.

But don't get a cramp patting yourself on the back, my friend. There's ample documented evidence of police brutality in any European country you'd like to mention, and UK police are also known to "put the boot in" from time to time.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Miles_O'Toole]

I've never worried about being killed by the police either, but I'm just an average older white guy. I have to say, though, I think the fact you didn't fear for your life when a gun was pointed at your head says more about you than the standards of policing.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I'm going to assume this story is accurate

[drinkypoo]

"To me they are just people that are doing a job. Neither to be hated, nor to get special treatment."

Maybe where you live they just do their job without special treatment, so there's no reason to hate them.

Here in the USA they get lots of special treatment, and even supposedly good cops are covering up for bad ones, which makes them bad too.

Up Next...

[EmagGeek]

Up Next...

"We need Congress to pass this bill immediately, giving law enforcement privileged access to all PCs on the Internet, to protect people from malware. And oh by the way that includes a back door in all encryption."

Re:

[Ol Olsoc]

Up Next...

"We need Congress to pass this bill immediately, giving law enforcement privileged access to all PCs on the Internet, to protect people from malware. And oh by the way that includes a back door in all encryption."

One of the strangest things about this whole story is that the announcement of the action shows that the backdoors are there already. Why tip your hand, when you can make it look like you are trying and failing to get the backdoors installed?

Re:

[AHuxley]

Its France.
Re "that the announcement of the action shows that the backdoors are there already."
The computer was guilty until the later scan proved it was not guilty.

Re:

[Ol Olsoc]

Its France.

That's where the coneheads come from. I must go consume mass quantities now.

Upgrade security patch

[Only Time Will Tell]

While they were at it, they should have upgraded those 850K computers to the highest patch level to prevent it from happening again! I know that isn't really feasible, but it would have been a nice touch to prevent the next worm from turning these gapping security risk computers into a botnet.

Remotely wipe malware from Windows Computers

[notdecnet]

“French police .. took control of a server that was used .. to spread a worm .. from more than 850,000 computers”

French police .. took control of a server that was used .. to spread a worm .. from more than 850,000 Microsoft Windows computers.