Cybercops Scrub Botnet Software From Millions of Computers
The notorious Emotet botnet software began uninstalling itself from some one million computers Sunday.
According to SecurityWeek,
the uninstall command was part of an update sent to the infected computers by
law enforcement servers in the Netherlands after Emotet's infrastructure was
compromised in January during a multinational operation mounted by eight
nations.
The poisoned upgrade cleans the Windows registry key that enables
the botnet's modules to run automatically, as well as stop and delete
associated services.
"The threat posed by Emotet was already neutralized by the
takeover of its entire network infrastructure by law enforcement last
January," explained Jean-Ian Boutin, head of threat research at Eset, an
information technology security company based in Bratislava in the Slovak
Republic.
"Our continuous monitoring of Emotet shows that the operation
has been a complete success," he told TechNewsWorld.
"On Sunday, a cleanup procedure was activated on compromised
systems that connected to the infrastructure controlled by law
enforcement," he continued. "The update removes Emotet's persistence
mechanisms, effectively preventing the threat from reaching out to any command
and control servers in the future."
According to the U.S. Justice Department Emotet infected 1.6
million computers globally from April 1, 2020 to Jan. 17, 2021 and caused
millions of dollars of damage to victims worldwide.
In the United States, the U.S. Cybersecurity & Infrastructure
Agency estimates that Emotet infections cost local, state, tribal and
territorial governments up to US$1 million per incident to remediate.
Machines Still At Risk
Although Emotet has been neutralized, the machines it infected
remain at risk.
"Emotet itself wasn't known for many malicious behaviors,
especially in its last iterations," observed Chet Wisniewski, principal
research scientist at Sophos, a network security and threat
management company based in the UK.
"It was known for bringing along other malicious software,
which it is likely to have done before the acquisition by police of the command
and control infrastructure," he told TechNewsWorld. "Its removal has
no effect on other malicious software it may have brought along."
Boutin noted that in the last two years, Emotet actively
distributed at least six different malware families: Ursnif, Trickbot, Qbot,
Nymaim, Iceid and Gootkit.
"Once installed, the malware families run independently from
Emotet," he said. "Hence, both must be eradicated in order for the
system to be malware free."
"The gap between the network infrastructure takedown and
Sunday's cleaning operation was to allow affected organizations to find these
different malware families and take the necessary steps to clean their network,"
he explained.
Deactivating Emotet can be seen as a first step in recovering these
machines, but it is far from the only step," added Christopher Fielder,
director of product marketing for Arctic Wolf, a
maker of cloud SIEM software.
"These machines should still be considered compromised and
assessed using an effective incident response plan," he told
TechNewsWorld.
Whether the owners of the infected machines are being notified
about the possibility of further infections is unclear, noted Dirk Schrader,
global vice president of New Net Technologies, a Naples, Fla.-based
provider of IT security and compliance software.
"It would certainly be helpful to alert the system's owner
that further forensic analysis is needed," he observed.
Significant
Achievement
Removing Emotet from the threat landscape is a great achievement,
Wisniewski maintained. "It was one of the most dangerous and prolific
email threats in the world," he said.
"I think the initial takedown and acquisition of the command
infrastructure was fantastic and something we would love to see more of,"
he added.
"This latest action, however, seems like it isn't as useful
and is more of a PR move than anything that will keep the public safe,"
Wisniewski pointed out.
"The takedown is very significant," added Vinay
Pidathala, director of security research at Menlo Security,
a cybersecurity company in Mountain View, Calif.
He noted that across Menlo Security's global customer base, Emotet
was the top malware that it protected customers against in 2020.
"Emotet was also responsible for a lot of ransomware
infections, so taking down such a pervasive malware distribution platform is
good for the internet," he added.
As gratifying as the takedown of Emotet is, the havoc it wreaked
across countless networks over seven years is alarming, declared Hitesh Sheth,
president and CEO of Vectra AI, a provider of automated threat
management solutions based in San Jose, Calif.
"We must aspire to have more international cooperation for
cybersecurity plus better response time," he told TechNewsWorld.
"None of us know how many malware cousins of Emotet are doing
more damage right now," he said, "but if each takes seven years to
neutralize, we will remain in lasting crisis."
One reason it took so long to take down Emotet was the complexity
of its network infrastructure.
"Through our long-term tracking of the botnet, we identified
hundreds of command and control servers, organized in different layers and
spread out throughout the world," Boutin explained. "To be
successful, the operation needed to take down all these C&C servers at the
same time, a very difficult task."
Privacy
Concerns
Security experts generally praised law enforcement for taking down
Emotet, although some had concerns about the action.
"I think takedowns are critical and law enforcement agencies
are important in being able to expedite and also put the right number of
resources to do something at scale. These actions are commendable,"
Pidathala observed.
Boutin noted that the takedown was not limited to shutting down a
botnet's infrastructure but went further with the arrest of individuals
suspected of being involved with Emotet.
"Pushing the uninstall routine on infected systems was the
icing on the cake," he said. "Hopefully this action will serve as a
reference and make future takedown operations easier and more efficient."
However, Austin Merritt, a cyberthreat intelligence analyst
at Digital Shadows, a San Francisco-based provider
of digital risk protection solutions, noted that takedowns can raise some
privacy issues.
"People targeted by Emotet may be concerned that involving the
FBI could allow them to indiscriminately go into victims' computers and see
what is there," he told TechNewsWorld. "Consequentially, there may be
concerns of law enforcement obtaining nonpublic information from them."
While automatically removing malware seems to be a great answer to
these infections, especially in large deployments such as Emotet, there are
some ethical issues with the approach, added Erich Kron, security awareness
advocate at KnowBe4, a security awareness training provider
in Clearwater, Fla.
"Part of the issue is that law enforcement is actively
deleting files from privately owned devices," he told TechNewsWorld.
"Even with the best of intentions, this has the potential to become an
issue."
Coding errors could potentially cause outages and loss of revenue
or services in future automated malware removal activities, he explained.
"In addition," Kron continued, "there may be a lack
of notification to the affected organizations. This could become an issue if
the automated removal process happens at the same time the device
administrators are doing their forensic data collection or removing the malware
themselves. Without coordination, this could become a significant issue for an
organization."
"This trend, while beneficial in the short term, is a topic
that should be discussed further within the cybersecurity industry, with an
emphasis on how to manage notifications to those whose devices have been
modified, managing oversight, and potentially the option to opt out of these
law enforcement actions altogether," he added.
Comments
Post a Comment