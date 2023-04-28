



A US court recently issued an injunction against a group of cybercrooks allegedly operating abroad based on a formal legal complaint from internet giant Google.

Based on the evidence it has gathered about the cybergang loosely known as the crew of CryptBot, using its size, influence and network data, it decided to say “no more!” It seems that.

Strip off Google’s product names, icons, and trademarks and pretend to be a rogue software distribution service. It runs a “pay-per-install” service for software bundles that allegedly deliberately injected malware into victims’ computers. Operates a botnet (robot or zombie network) to steal, collect and collate personal data from hundreds of thousands of victims in the United States.

You can read PDFs of court documents online. Thanks to a friend of his pub The Register online for posting this.

loot at will

The data these CryptBot criminals allegedly looted included browser passwords, illegally snapped screenshots, cryptocurrency account data, and other PII (Personally Identifiable Information).

The court order states:

Defendants are responsible for distributing a botnet that infected approximately 672,220 CryptBot victim devices in the United States last year. A botnet’s prodigious computing power could be exploited for other criminal schemes at any time.

For example, defendants may enable large-scale ransomware or distributed denial-of-service attacks against legitimate businesses and other targets. Defendants themselves may carry out such harmful attacks or sell access to botnets to third parties for that purpose.

Because the defendants were clearly operating outside Pakistan and understandably did not appear before the court to argue their case, the court decided that outcome without hearing them.

Nonetheless, the court found that Google was “in favor” on charges involving violations of the Computer Fraud and Abuse Act, Trademark Rules, and racketeering laws (broadly speaking, so-called organized crime, i.e., the act of committing a crime). concluded that it was possible. as if you were running a business):

[The court favors] Temporary Injunction. Criminal gangs are deceiving users and hurting Google. There is no countervailing factor against a temporary injunction. There is no good reason why the defendants should be allowed to continue distributing malware or cracked software and operate infected computers to carry out their criminal schemes. […]

Every day, defendants infect new computers, steal more account information, and trick unsuspecting victims. Protection from malicious cyber-attacks and other cyber-crime is of great public interest.

As you can imagine, some aspects of injunctions follow a kind of legalism that attacks non-lawyers as tautological consequences. That is, officially demand that criminals stop their crimes. No more stealing victim data and selling stolen data to other scammers.

block that traffic

Interestingly, however, the court order does not allow Google to directly or indirectly identify network providers whose services enable this crime, and that “[request] We require these individuals and entities to use their reasonable best efforts to stop malware and data theft.

This intervention does not only apply to companies such as domain name registrars and hosting providers. (Court orders often require the server name to be taken away from the criminal, turned over to law enforcement or the victimized company, and the website or web server taken down.)

Perhaps to make it harder for these scammers to migrate their servers to a hosting provider, either unable to identify the hosting provider at all, or willingly ignoring the US takedown request, this court The directive even covers blocking network traffic that is known to be in progress. Sent to and from domains associated with the CryptBot crew.

The final network hop that malicious traffic takes to reach a US victim is almost certainly through an ISP under US jurisdiction.

For clarity, the court order does not require, or even mention, snooping, interception, or storage of transferred data. We are only discussing taking “reasonable steps to identify” and “reasonable steps to block” traffic to and from the list of identified domains and IP numbers.

In addition, the order covers blocking traffic “to and/or from other IP addresses or domains that Defendants may move through the botnet infrastructure,” and instructs Google to ” We give you the right to rectify. [its list of network locations to block] To identify other domains or similar identifiers used by defendants in connection with malware distribution enterprises. ”

Finally, the restraining order states in one powerful sentence:

Defendants and their agents, representatives, successors or assigns, and all persons acting in cooperation or participation with any of them, as well as banks, savings and loan associations, credit card companies, credit card processors and merchants. If the acquiring bank, financial institution, or other company or institution engaged in the disposition or transfer of money and/or real or private property receives actual notice of this order by personal service or otherwise, Temporarily binding, non-assignable or disposable without prior court approval. or make secret money, stock, bonds, real or personal property, or other property of the defendant, or pay or transfer money, stock, debt, real or personal property, or other property to the defendant. From an account associated with or used by any Defendant.

In plain English, if you try to help this lottery cash in on their ill-gotten gains, you’re in trouble whether or not you take 30 silver coins from them. I guess!

does it work?

Will this have a massive impact on CryptBot operations? Or will their activity simply emerge under a new name to build a new botnet with new malware distributed from new servers? Is it?

don’t understand.

However, the names of these criminal suspects have been made public, and it is said that in the United States alone, more than two-thirds of the million computers last year were infected with the CryptBot zombie malware…

…even a slight dent in their activity would surely help.

what to do?

To reduce the risk of getting infected with zombie malware:

Stay away from sites that offer unofficial downloads of popular software. Even seemingly legitimate download sites may not be able to resist adding their own “secret sauces” to their downloads that are readily available from the vendor’s own official channels. Be careful not to assume that the first result from a search engine is the product’s official website and that you simply click on it. If in doubt, talk to someone you trust to find out the actual vendor and proper download location. Consider running a real-time malware blocking tool that not only scans downloads, but proactively prevents access to dangerous or downright dangerous download servers. Sophos Home is free for up to 3 users (Windows and/or Mac) and a low price for up to 10 users. Invite friends and family to share licenses and allow them to remotely manage their devices through our cloud-based console. (You don’t have to run a server at home!) Don’t expect to get pirated or cracked programs. If you can’t or won’t pay for a commercial product, find free or open source alternatives you can use instead. A legitimate download server, even if that means learning a new product or giving up on a feature you love.

