Google says it has taken legal and technical action against Russia-based botnet Glupteba.
“Botnets are a real threat to internet users, and require the efforts of industry and law enforcement to deter them,” wrote Google’s vice president of security, Royal Hansen, and general counsel Halimah DeLaine Prado.
The ad giant claimed that its own investigation revealed that Glupteba encompasses about one million compromised devices worldwide, sometimes growing at a speed of thousands per day.
The infiltrated devices form a network, or botnet, which uses the hijacked machines to steal information or commit fraud then shielding itself through blockchain technology.
“Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers,” said Prado and Hansen.
Glupteba is essentially a dropper with extensive backdoor functionality that keeps itself hidden and out of sight.
The malware is installed through pay-per-install networks and via traffic purchased from traffic distribution systems.
After finding a specific git repository URL repeated in Glupteba binaries, Google’s Threat Analysis Group (TAG) said it was able to identify online services being peddled by its operators. Up for purchase were access to virtual machines with stolen credentials, proxy access, and credit card numbers for use serving malicious ads or payment fraud.
In a blog outlining technical action taken, the TAG team said it had terminated 63 million Google Docs, 1,183 Google accounts, 908 cloud projects, 870 Google ads associated with the malware, and warned 3.5 million users wanting to download malicious files not to proceed. Industry partners like CloudFlare took down infected servers and replaced them with interstitial warning pages.
Indicators of compromise were listed on the post.
Although Glupteba’s key command-and-control infrastructure was disrupted, the TAG said the operators could regain control via a backup mechanism that uses data encoded on the Bitcoin blockchain.
“The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown,” said Hansen and Prado, adding that such cybercrime was becoming more commonplace due to its resiliency.
To fight against the emerging malware trend, prevent the criminals from simply setting things back up, and set a precedent for legal liability, the Chocolate Factory also launched what it qualifies as “the first lawsuit against a blockchain enabled botnet” [PDF]. It filed the complaint under seal on 2 December and it was unsealed yesterday.
The company is alleging violations under the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Lanham Act, and more against two Russian blokes named Dmitry Starovikov and Alexander Filippov. A temporary restraining order was also filed.
Google also alleges others were involved, but they remain unnamed, referred to as Does 1 through 15 and the “Glupteba Enterprise” in general.
The complaint for damages, in an amount to be proven at trial, and injunctive relief was filed in the US District Court for the Southern District of New York. ®