Retadup Botnet Killed by Cops – 1 Million PCs Saved - Security Boulevard

Retadup Botnet Killed by Cops – 1 Million PCs Saved

Last week, in a little-noticed announcement, French police disclosed they’d disrupted a large malware command-and-control infrastructure. Not only that, but they were able to remotely disinfect the PCs that connected to the C&C servers.

At the current count, at least a million infected Windows PCs have been saved from malicious cryptocurrency mining. They’ve been released from the scourge of Retadup malware infection.

FinConDX 2021

Sensationnel! Dans SB Blogwatch d’aujourd’hui, nous sommes virés.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: check‑1‑2.


Monero-Mining Malware Massacred

What’s the craic?  Lorenzo Franceschi-Bicchierai reports—“Cops Hijack Botnet, Remotely Wipe Malware From 850,000 Computers”:

 French police, with help from an antivirus firm, took control of a server that was used by cybercriminals to spread a worm programmed to mine cryptocurrency. … The police remotely removed the malware from … more than 850,000 computers.

Avast said that they found that the command and control server … was located in France. … Cybersecurity firms such as Avast [and] Trend Micro, had been tracking the worm, called Retadup, since last spring. … This takedown is a good example of how law enforcement agencies are starting to push the boundaries.

And Zack Whittaker adds, “Police hijack a botnet”:

 The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. … The malware also has wormable properties, allowing it to spread from computer to computer.

The security firm got involved after it discovered a design flaw in the malware’s command and control server. … The exploit would have dismantled the operation, but the researchers lacked the legal authority to push ahead. … After receiving the go-ahead from prosecutors … the police went ahead with the operation to take control of the server and disinfect affected computers.

The operation worked by secretly obtaining a snapshot of the malware’s command and control server. … The researchers built their own replica, which disinfected victim computers instead of causing infections.

Representing the researchers,  Jan Vojtěšek writes, “Avast Works With France And US To Stop Cryptomining”:

 The cybercriminals behind Retadup had the ability to execute additional arbitrary malware on hundreds of thousands of computers worldwide. … Our main objectives were to prevent them from executing destructive malware on a large scale, and to stop the cybercriminals from further abusing infected computers.

We shared our threat intelligence on Retadup with the Cybercrime Fighting Center (C3N) of the French National Gendarmerie, and proposed a technique to disinfect Retadup’s victims. [Our] disinfection server responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct. … The design flaw we [exploited] did not involve making the victims execute any extra code.

The findings from the analysis … were quite surprising. All of the executable files on the server were infected with the Neshta fileinfector. The authors of Retadup accidentally infected themselves with another malware strain!

Some parts of the C&C infrastructure were also located in the US. The Gendarmerie alerted the FBI who took them down.

And did they miss a trick? Here’s Only Time Will Tell:

 While they were at it, they should have upgraded those 850K computers to the highest patch level to prevent it from happening again! … It would have been a nice touch to prevent the next worm from turning these … security risk computers into a botnet.

But but but, why doesn’t Avast’s writeup talk about this C&C “design flaw”? Tillmann Werner—@nunohaien—theorizes thuswise:

 Based on the supported commands, it sounds like an update was pushed, presumably to replace the bot’s AutoIt script with an empty file.

In fact, an update command with an empty URL should also work. There’s no parameter validation happening, so the malware will happily proceed to deleting its AutoIt script, even if the update command doesn’t contain a valid URL.

Wait. Pause. On what legal basis did the French disinfect PCs in other countries? Sololoquor wants to know:

 So the police became the effective owners of the botnet and used it’s network to issue commands to the zombies?

Still sounds illegal and a grey area at best.

So Njovich tries this:

 Realistically no country is going to challenge them on this. … The reasoning is probably along the lines of that the C&C was in France and therefore this was part of a crime being committed on French jurisdiction. They will likely explain it as that they just took reasonable and proportional action to stop a crime from being committed.

If you commit crimes across international borders on the internet there is very little law governing what countries can do. … This makes it hard to determine jurisdiction and for a country to convince itself that it is allowed to take action.

Meanwhile, EmagGeek looks ahead and shudders:

 Up Next…

“We need Congress to pass this bill immediately, giving law enforcement privileged access to all PCs on the Internet, to protect people from malware. And oh, by the way, that includes a back door in all encryption.”

And Finally:

What’s your favorite shortcut key?


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: kenatius (cc:by-sa)

Richi Jennings

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 306 posts and counting.See all posts by richi