FBI’s Qakbot operation opens door for more botnet takedowns

/in


The FBI’s recent takedown of the QakBot botnet sent shockwaves throughout the cybersecurity community when it was first announced last week. QakBot had become the malware of choice for dozens of hacking groups and ransomware outfits that used it to set the table for devastating attacks.

Since emerging in 2007 as a tool used to attack banks, the malware evolved into one of the most commonly-seen strains in the world, luring an ever-increasing number of machines into its powerful web of compromised devices. Justice Department officials said their access to the botnet’s control panel revealed it was harnessing the power of more than 700,000 machines, including over 200,000 in the U.S. alone.

But almost as interesting as the takedown was the way law enforcement agencies pulled off the disruption.

Senior FBI and Justice Department officials — who called it “the most significant technological and financial operation ever led by the Department of Justice against a botnet” — explained in a briefing that they managed to infiltrate the botnet’s infrastructure and take a range of actions to shut it down.

Using a court order, the law enforcement agencies deployed the botnet’s auto-updating feature against itself to send out a custom application that uninstalled QakBot and disabled the feature on devices in the U.S.

“It’s as if the boss gave the order, ‘leave this workplace and don’t come back,’” said John Hammond, principal security researcher at the cybersecurity intelligence firm Huntress.

Chester Wisniewski, field CTO of applied research at Sophos, said the tactic reminded him of NotPetya, where a software downloader feature was abused by Russian hackers to download malware instead of updates.

“Almost all modern botnets have auto update functionality and if you can gain control of the communications channels you can essentially make them self-destruct,” Wisniewski said. “If we start having success with that though, criminals could start using digital signatures to make this more difficult.”

Other botnets

The FBI and other law enforcement agencies have conducted similar operations in the past to take down botnet networks.

The FBI’s targeting of the…

Source…