The “Qakbot” botnet, a network of infected computers used by hackers to attack governments and businesses around the world, has been dismantled and destroyed. So claims United States Federal Bureau of Investigation director Christopher Wray, who delivered the news via a short video announcement attached to a press release. According to the FBI, a new technique redirected the botnet’s traffic to Bureau-controlled systems, which were then able to remotely uninstall it from hundreds of thousands of infected computers.
Bleeping Computer goes into more detail on the actual mechanism used. This particular botnet has been used in 40 or more ransomware attacks, notably targeting government infrastructure and healthcare providers, shaking down victims by locking critical systems and stealing personal data then extorting payment via hard-to-trace cryptocurrency. The system has been operating since at least 2008, and has been used in conjunction with mass “lures” and social engineering techniques to establish infections on Windows devices. Once delivered, the Qakbot infection (AKA Qbot or Pinkslipbot) can steal emails and other personal info while harnessing the machine to proliferate itself to even more victims.
According to the report, the FBI and its domestic and international law enforcement partners seized a critical piece of the botnet’s server infrastructure. Once secured, the Bureau created new encryption systems to lock the botnet’s commands from its original owners and whomever they’d been sharing it with, then created an uninstallation tool. The FBI used the Qakbot network itself to distribute the tool, which executed itself on infected machines and effectively dismantled the botnet with the same mechanism that created it in the first place.
Oh, and the campaign that took down Qakbot was called “Operation Duck Hunt.” Nice.
It’s a rare and dramatic win against malware makers, stopping a system that’s stolen hundreds of millions of dollars and countless digital identities. For a more comprehensive breakdown on the operation, read Bleeping Computer’s report.