It sounds like something out of a hacking movie: slow heavy metal music plays while the hero goes to town on their keyboard, green text and 3d imagery flashing by. He explains to his partner that he’s going to take the botnet down from the inside; the infected computers will cure themselves. They hit the Enter key like it insulted someone’s mother. The over-sized screen, covered in red dots, slowly starts to turn white. The virus is clear. The real-life version didn’t happen quite like that, but it might not be far off: French police hijacked and then cleared a botnet with nearly a million infected computers.
Not the actual botnet.
Retadup is, according to antivirus firm Avast, a malicious worm affecting Windows machines throughout Latin America. It’s designed to install on the infected machine and then begin mining for cryptocurrency. Avast discovered a flaw in the malware’s command and control server that would allow someone in command of the botnet to remove the malware from infected computers without pushing any new code to those computers.
The firm knew it could clear the botnet, but didn’t have the legal authority to pull the trigger. So it reached out to French police. While the botnet itself focused on Latin America, the botnet’s infrastructure was located in France. In July of this year, the police got the go-ahead from the prosecutor. Avast prepped a disinfection server. When they brought it online, thousands of bots began connecting to it and accepting the self-destruct command.
The whole operation had to be done very carefully. While cryptocurrency mining is a huge waste of power, it’s hardly malicious. If the botnet operators had become aware of the sting operation, they could’ve pushed out ransomware or something a lot more malicious. Sitting unaware, they were simply pulling in passive income.
Don’t skip that antivirus app
The police could provide only limited information to Avast due to privacy laws, but the firm uncovered some interesting stuff. The botnet operators themselves were infected with another worm, Neshta. Avast cheekily notes that its software would’ve protected Retadup authors.
The firm also noted that of the computers infected, 82% of the systems were running Windows 8.1 or earlier; over 52% ran Windows 7. 85% of the victims had no third-party anti-virus installed. That’s not a problem in itself these days, but many also had any protection of any kind disabled.
French police believe that the authors were mining several million euros worth of cryptocurrency each year since 2016, and think the botnet extended to as many as 140 countries.
The police have not yet apprehended the perpetrators, they said. They say that the authors could re-create a platform like this at any time, and could refocus a new botnet to attack corporations or other institutions. It really does sound like something out of a movie, and it’s rare that anything that happens on the internet comes out sounding so cinematic.