Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Botnet Security Technology

Cops Hijack Botnet, Remotely Wipe Malware From 850,000 Computers (vice.com) 79

French police, with help from an antivirus firm, took control of a server that was used by cybercriminals to spread a worm programmed to mine cryptocurrency from more than 850,000 computers. Once in control of the server, the police remotely removed the malware from those computers. Motherboard reports: Antivirus firm Avast, which helped France's National Gendarmerie cybercrime center, announced the operation on Wednesday. Avast said that they found that the command and control server, which was located in France, had a design flaw in its protocol that made it possible to remove the malware without "making the victims execute any extra code," as the company explained in its lengthy report.

Cybersecurity firms such as Avast, as well as Trend Micro, had been tracking the worm, called Retadup, since last spring. Most of the infected computers were used by the malware authors to mine the cryptocurrency Monero, but in some cases it was also used to push ransomware and password-stealing malware, according to Avast. As the antivirus firm reported, most Retadup victims were in South America, with Peru, Venezuela, Bolivia and Mexico at the top of the list.

This discussion has been archived. No new comments can be posted.

Cops Hijack Botnet, Remotely Wipe Malware From 850,000 Computers

Comments Filter:
  • Awesome (Score:5, Interesting)

    by JustAnotherOldGuy ( 4145623 ) on Wednesday August 28, 2019 @09:15PM (#59135494) Journal

    We need to hear more stories like this. Kudos to the French police!

    • by AHuxley ( 892839 )
      They should have kept it a secret for a while.
      Looked all over France for active malware use for a few years.
      Then announced a decade later that as part of "anti cybercrime actions" a lot of files got found.
      Files that had a FBI/charity/NGO/international checksum that the antivirus sweep "found" as part of detection.
      The cyber police could have upgraded the antivirus software with every file that has ever been of interest to police/part of an investigation.
      Full van roll and over time for all as everyone
    • We need to hear more stories like this. Kudos to the French police!

      Yet another PR stunt by the MICROS~1 publicity department. The real story being that with up-to-date anti virus software and fully patched, 850,000 Microsoft Windows desktops still managed to get owned.
      • The real story being that with up-to-date anti virus software and fully patched, 850,000 Microsoft Windows desktops still managed to get owned.

        It's because fundamentally, Windows' greatest strength is its greatest weakness.

        As a Windows user I can get a Win32 or Win64 executable from anywhere I want and Windows will run it. Depending on my settings (which I can turn off if I'm an admim) Windows may throw up some warnings, but fundamentally, windows is an open platform. Wanna run an executable in an a

        • As a Windows user I can get a Win32 or Win64 executable from anywhere I want and Windows will run it.”

          I can get an old version of any app to run on this Ubuntu desktop. The latest version will still run on older hardware, so you don't have to check if “Windows 10 is no longer supported on this PC.” ref [computerworld.com]. “windows is an open platform.”

          Wha, only in the distorted meaning of the term that Microsoft invented.

          I don't have to get EXEs from an "app store." I don't
  • As part of a French judicial investigation?

    Every file on the computer before the remote malware action was done.
    Every file on the computer after the remote malware action was done.

    To ensure only the malware was gone and really all removed.
    What did the French gov get to see?
    Just the malware parts of the computers?
    Is the Gendarmerie now expanding secret cyber investigations all over France?
    Any networked computer in France is now open to approved direct action by the Gendarmerie as an anti cybercr
    • Re: (Score:2, Funny)

      by Xenx ( 2211586 )
      I mean, what if some of those people WANTED that malware?! They just up and stole all those bits from them. Sure, it's sarcasm.... but it's also a slippery slope.
      • Re: (Score:2, Insightful)

        by gweihir ( 88907 )

        It most decidedly is a slippery slope. Once the capability is firmly established, it will be extended and user for other, far less benign actions.

        • by AHuxley ( 892839 )
          How many malware definitions per quick scan?
          Wonder if any AV software they had on a computer sent up a report about access and system changes :)
          The AV software may have not see the existing malware, but could have detected the direct France gov actions?
          Will the International AV reports of France look different after gov action?
          Did all other AV brands see and detect nothing? NSA style?
      • I mean, what if some of those people WANTED that malware?!

        Then they are complicit and should be on the hook for it?

      • Comment removed based on user account deletion
  • by gweihir ( 88907 ) on Wednesday August 28, 2019 @09:46PM (#59135560)

    I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

    • by znrt ( 2424692 )

      I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

      this, and given the fact that the only 100% reliable way to 'disinfect' any compromised device is resetting it to factory settings, i wonder what such a 'remote removal' procedure would accomplish. this malware must have been utterly trivial to even consider this as something worth trying. i hope they at least sent notifications to all affected too. this all sounds really weird.

      • by AHuxley ( 892839 )
        Depends on what the 'remote removal' procedure was set to find and remove.
        One quick scan for one worm? The "desktop" computer get a "full" scan while the gov was "in" that one side of the network?
        Did the DGSE get to suggest looking for more "international" malware in use in France?
        Did the NSA, GCHQ, FBI, CIA give France a list of other more interesting checksums as part of wider international cooperation?
        • by gweihir ( 88907 ) on Thursday August 29, 2019 @03:22AM (#59136070)

          Even executing a single command on a computer without permission is a crime in many jurisdictions. It really does not matter what they did for that. Of course, they could have committed multiple additional crimes along the lines of your description.

          • by AHuxley ( 892839 )
            Now we know AV is not always what it is expected to be on a users computer :)
            Nobody expected the National Gendarmerie inside the wire.
      • given the fact that the only 100% reliable way to 'disinfect' any compromised device is resetting it to factory settings

        These are "computers," not cell phones. And "factory settings" might be the least safe most computers ever are.

        • by znrt ( 2424692 )

          These are "computers," not cell phones.

          i got that this is about computers, thanks, it's mentioned in the very first sentence of the article. "resetting to factory settings" here obviously means wiping the system's storage and reinstalling all software from trusted sources. sorry if that was poor wording for you but a minimal comprehension effort on your part would also be nice.

          And "factory settings" might be the least safe most computers ever are.

          and an elephant might be running in circles swinging the trunk at this very moment, no clue what you are trying to say with that. are you implying an already compromised c

          • These are "computers," not cell phones.

            i got that this is about computers, thanks, it's mentioned in the very first sentence of the article. "resetting to factory settings" here obviously means wiping the system's storage and reinstalling all software from trusted sources. sorry if that was poor wording for you but a minimal comprehension effort on your part would also be nice.

            And yet, no. Reinstalling the OS is an idiot thing Windows users do, and a freshly installed windows OS is not going to be well-protected. It takes a whole bunch of work to secure that sort of system.

            I read your defense, I still think you're clueless about the situation. Then you went crazy, something about an elephant, but dude. I didn't say any of that shit, that you think I did just proves you don't know what I'm talking about. Probably ignorance of com-pu-ters but, maybe you're just generally stupid too

            • by znrt ( 2424692 )

              And yet, no. Reinstalling the OS is an idiot thing Windows users do, and a freshly installed windows OS is not going to be well-protected. It takes a whole bunch of work to secure that sort of system.

              I read your defense, I still think you're clueless about the situation. Then you went crazy, something about an elephant, but dude. I didn't say any of that shit, that you think I did just proves you don't know what I'm talking about. Probably ignorance of com-pu-ters but, maybe you're just generally stupid too, I don't want to rule anything out. Something about an elephant.

              are you aware that it's pretty trivial to have hardened os images ready that can be restored in a blink, and that backups exist?

              once a system is compromised you can't really trust it anymore except in the most trivial cases. it is pretty hard to figure out how deep the intrusion has gone. every sane security expert or sysadmin will prescribe a prompt reinstall (probably after quarantine and research). home users can be fine with their flashy antivirus swearing in nice colored fonts that the threat has been

          • Factory reset computers are sorely lacking in the months or years of acquired security updates as well as the system configuration to secure it, like (in Windows) having Remote Registry enabled in services or Cortana , among many other things. And slightly older systems before Defender was part of Windows, if we're talking about Windows, had no factory installed anti-virus. But even with other OSes, the lack of updates is problem enough.

      • given the fact that the only 100% reliable way to 'disinfect' any compromised device is resetting it to factory settings

        Sounds like killing the patient to prevent the spread of an infectious disease. A factory reset is only necessary if you have no idea what you are dealing with. In this case, they probably had a very good idea of the nature of the payload, and were able to disable it without such drastic measures.

    • I am wondering how this can be legal.

      Oh, that's easy. If the police do this, it is a priori legal.

      If you or I did this . . . it would be illegal.

      • by gweihir ( 88907 )

        That is probably what they want everybody to believe. But there are still some nations that are not police states (yet). In addition, this was the _French_ police. Whatever they do in, say, the US, the UK or some other (proto-) police states, is very much not legal there unless they have special permissions from the local police.

    • I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

      Microsoft does all the time: https://answers.microsoft.com/... [microsoft.com]

      • by gweihir ( 88907 )

        I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

        Microsoft does all the time: https://answers.microsoft.com/... [microsoft.com]

        Microsoft has informed every user about this and has permission via the TOU. The French police has just as much right to do anything like that outside of France as you or me.

        • I am wondering how this can be legal. You cannot legally just remove software from some computer without the permission of the owner.

          Microsoft does all the time: https://answers.microsoft.com/... [microsoft.com]

          Microsoft has informed every user about this and has permission via the TOU. The French police has just as much right to do anything like that outside of France as you or me.

          I'm not certain - where's the part where you approve of Microsoft deleting all of your files? And what kind of idiot would approve of them deleting all of their files?

          • by gweihir ( 88907 )

            I'm not certain - where's the part where you approve of Microsoft deleting all of your files? And what kind of idiot would approve of them deleting all of their files?

            The deleting is an accident. These do happen. Unless there is gross negligence (good luck proving that, all of MS is basically gross negligence...), what MS has by the TOU and your acceptance of them is permission access your computer and to change files for the purpose of updates and security fixes.

    • I'm not sure that's true. A parallel could be drawn to litter. Or to a foreign object in the body. If you get shot and are unconscious, the medical professionals will go ahead and take the bullet out of your body, without even asking! How rude!

      On the other hand, if they did any damage while they were in there, you could sue.

      • by gweihir ( 88907 )

        Emergency powers like these are created by specific laws. Yes, medical professionals have the right to make decisions in your best interest if you cannot. Anybody directly helping in an emergency has them. For example you may always legally drag somebody unconscious for a burning building and you may even hurt them to some degree in that process if it is unavoidable. But there are limits. If I have a DNR (Do Not Resuscitate) Order in place, then medical professionals are not allowed to save me, for example.

    • It's covered by the ELUA the malware installed with itself. After self installation of the agreement, each owner signified acceptance by clicking a mouse button at some later point in time.
    • They probably committed crimes in multiple countries as a result of their actions. However, part of law enforcement is enforcement. The justice system doesn't go after every crime; many cases are simply dropped. In most of the places where these crimes happened, that's likely what will happen: the justice system will decide not to pursue it.

      If any of these countries has a particular beef with France, they might think to use their legal system to retaliate, but many of these are smaller countries with not
    • by Whibla ( 210729 )

      I accept that it is a bit of a grey area but I suspect their logic goes something like this:

      They are not removing the 'software' without the owner's permission. The owner, or more specifically the relevant software on the owner's computer, connected to their (by virtue of force majeure) server and requested instructions. That the instructions now say "delete yourself" rather than "perform a DDOS on 192.168.0.1" is immaterial to the fact that the owner did, albeit blindly, make the request, and hence granted

    • I'm pretty sure if someone came into my house and put a time bomb in my living room, the cops would come take it without asking me if it's ok. The damage from software "bombs" can be a lot worse than a real bomb.

      • by gweihir ( 88907 )

        a) The real bomb is actually in the jurisdiction of the cops that will take it away (or more likely blow it up remotely, along with your living room)
        b) Because of a) there are specific laws in existence that say they are allowed.

  • Or did they wipe malware that enables remote execution in the first place?
    • by AHuxley ( 892839 )
      If they are finding the control side too?
      Wonder how many other French and EU AV brands got "asked"/"volunteered"/"had to" to support French/ wider EU police actions?

      EU based AV brands doing the same for their police in the Czech Republic, Germany, Romania, Slovakia, Finland, Spain get asked to help?
      Just for the French police when "asked"? A wider EU hunt for the control side?
  • by Miles_O'Toole ( 5152533 ) on Thursday August 29, 2019 @01:59AM (#59135968)

    Given that I'm accepting this story as a generally true and accurate account of what happened, I'm going to say this: I'm delighted that for once the police weren't just a bunch of low-brow, power-tripping thugs more interested in night-sticking non-violent environment activists than going up against violence-friendly, white supremacist skinheads. Brains and heart in the right place, and a minimum of violence. This is a good thing.

    This is what law enforcement should be all about.

  • Up Next...

    "We need Congress to pass this bill immediately, giving law enforcement privileged access to all PCs on the Internet, to protect people from malware. And oh by the way that includes a back door in all encryption."

    • Up Next...

      "We need Congress to pass this bill immediately, giving law enforcement privileged access to all PCs on the Internet, to protect people from malware. And oh by the way that includes a back door in all encryption."

      One of the strangest things about this whole story is that the announcement of the action shows that the backdoors are there already. Why tip your hand, when you can make it look like you are trying and failing to get the backdoors installed?

      • by AHuxley ( 892839 )
        Its France.
        Re "that the announcement of the action shows that the backdoors are there already."
        The computer was guilty until the later scan proved it was not guilty.
  • by Only Time Will Tell ( 5213883 ) on Thursday August 29, 2019 @10:13AM (#59137136)
    While they were at it, they should have upgraded those 850K computers to the highest patch level to prevent it from happening again! I know that isn't really feasible, but it would have been a nice touch to prevent the next worm from turning these gapping security risk computers into a botnet.
  • French police .. took control of a server that was used .. to spread a worm .. from more than 850,000 computers

    French police .. took control of a server that was used .. to spread a worm .. from more than 850,000 Microsoft Windows computers.

Technology is dominated by those who manage what they do not understand.

Working...