Citat:
Qakbot, one of the largest and longest-running botnets to date, was taken down following a multinational law enforcement operation spearheaded by the FBI and known as Operation 'Duck Hunt.'
The botnet (also known as Qbot and Pinkslipbot) was linked by law enforcement to at least 40 ransomware attacks against companies, healthcare providers, and government agencies worldwide, causing hundreds of millions of dollars in damage, according to conservative estimates. Over the past 18 months alone, losses have surpassed 58 million dollars.
The botnet (also known as Qbot and Pinkslipbot) was linked by law enforcement to at least 40 ransomware attacks against companies, healthcare providers, and government agencies worldwide, causing hundreds of millions of dollars in damage, according to conservative estimates. Over the past 18 months alone, losses have surpassed 58 million dollars.
Uttalande av FBI Director Christopher Wray:
https://www.youtube.com/watch?v=mIeUT0QmqfU
Qakbot botnet dismantled
Det intressanta här är tillvägagångssättet de utfört denna stora operation...
man kan hitta lite detaljer här:
https://www.justice.gov/usao-cdca/di...kbot-resources
De (FBI) har alltså utfört ett eget instruktionsprogram för att avinstallera malware't till 700.000 servers/datorer varav 200.000 i USA vad jag förstått det som.
Det är alltså ett nytt tillvägasätt man gör för att kapa av bandet/kopplingen till själva botnettet. Vilket medför en handling som direkt ger instruktioner till FBI att alltså ta sig in och instruera en server/dator att göra som de vill, i detta fallet verkar det ju som att det bara är att kapa kopplingen till själva botnet och ta bort källan på servern.
Just själva warrant för detta hittar man här:
https://www.justice.gov/d9/2023-08/2...n_redacted.pdf
Citat:
Fourth, infected computers subject to this
warrant that make up the botnet would then communicate with the
FBI Server instead of the Tier 3 server. As noted above, the
Qakbot malware instructs the infected computers to contact the
Tier 3 server every one to four minutes. When those infected
computers contact the FBI Server, the server will instruct them
to download a second file created by law enforcement (“the
Qakbot Uninstaller”). This warrant would authorize this action,
with the intent that computers in the United States that are
infected with the Qakbot malware will download the Qakbot
Uninstaller from the FBI Server via the FBI-controlled Tier 1
servers. The proposed warrant therefore authorizes law
enforcement officers to seize or copy from the infected
computers electronically stored information related to the
Qakbot malware, including IP addresses and routing information, necessary to determine whether the infected computer continues
to be controlled by the Qakbot botnet.
16. The FBI Server will be a dead end. It will not
further route or relay communications received from the infected
computers. It will not capture content from the infected
computers. However, the FBI Server will collect the IP address
and associated routing information of the infected computers for
victim notification purposes. To facilitate that capture, U.S.
authorities will also seek separate pen register / trap and
trace orders pursuant to 18 U.S.C. §§ 3121 et seq. for the FBI
Server.
17. The FBI Supernode Module and the Qakbot Uninstaller do
not collect content from the infected computers, nor do they
alter the functionality of the infected computers’ operating
systems, files, or software, except as expressly provided in
this affidavit. The FBI Supernode Module and the Qakbot
Uninstaller do not remediate malware that was already installed
on the infected computer through Qakbot, such as ransomware or
other malware that steals financial credentials. However, the
Qakbot Uninstaller is designed to prevent additional malware
from being installed on the infected computer through the Qakbot
botnet by untethering the victim computer from the botnet.
warrant that make up the botnet would then communicate with the
FBI Server instead of the Tier 3 server. As noted above, the
Qakbot malware instructs the infected computers to contact the
Tier 3 server every one to four minutes. When those infected
computers contact the FBI Server, the server will instruct them
to download a second file created by law enforcement (“the
Qakbot Uninstaller”). This warrant would authorize this action,
with the intent that computers in the United States that are
infected with the Qakbot malware will download the Qakbot
Uninstaller from the FBI Server via the FBI-controlled Tier 1
servers. The proposed warrant therefore authorizes law
enforcement officers to seize or copy from the infected
computers electronically stored information related to the
Qakbot malware, including IP addresses and routing information, necessary to determine whether the infected computer continues
to be controlled by the Qakbot botnet.
16. The FBI Server will be a dead end. It will not
further route or relay communications received from the infected
computers. It will not capture content from the infected
computers. However, the FBI Server will collect the IP address
and associated routing information of the infected computers for
victim notification purposes. To facilitate that capture, U.S.
authorities will also seek separate pen register / trap and
trace orders pursuant to 18 U.S.C. §§ 3121 et seq. for the FBI
Server.
17. The FBI Supernode Module and the Qakbot Uninstaller do
not collect content from the infected computers, nor do they
alter the functionality of the infected computers’ operating
systems, files, or software, except as expressly provided in
this affidavit. The FBI Supernode Module and the Qakbot
Uninstaller do not remediate malware that was already installed
on the infected computer through Qakbot, such as ransomware or
other malware that steals financial credentials. However, the
Qakbot Uninstaller is designed to prevent additional malware
from being installed on the infected computer through the Qakbot
botnet by untethering the victim computer from the botnet.
