Tue. Dec 10th, 2019

French police cracked botnet using their flaws to open self-destruction programs to rescue 850,000 computers

2 min read

The Czech security company, AVAST has recently tracked a backdoor program, Retadup worm that focuses on infecting Latin America, which forms a huge botnet for mining. During the tracking process, the company discovered that some of the botnet servers were located in France, and AVAST notified its French law enforcement agencies. Normally, law enforcement agencies find that such servers belonging to hackers will be smashed, but this time there are surprises so the botnet server has not been destroyed.

According to the analysis, this backdoor program infects a large number of computers, and immediately loads the mining module remotely and then uses the user’s computer to mine the Monero cryptocurrency. This backdoor program is actually quite rich and can be used to remotely control the victim’s computer or to access the user’s files and turn on the camera for monitoring.

The mode of transmission mainly uses worms to spread and infects other computers with infected computers and will be infected if patches are not installed in time. But the attacker behind it is only to infect as many computers as possible and then use hardware resources to mine. The more infections, the higher the mining revenue. The main areas of infection are mainly Spanish-speaking countries in Latin America, such as Mexico, Venezuela, Argentina, and Ecuador.

Interestingly, the French police did not directly destroy the server after controlling their remote servers, because the study found a fatal flaw in the botnet. To exploit this flaw, you only need to issue remote commands to all computers in the botnet. The backdoors on these computers will start self-destruction without intervention. After the remote self-destruction command was issued, hundreds of thousands of computers were networked and the backdoor program was quickly cleaned up. This is why the French police did not directly destroy the server. Of course, the so-called self-destruction command is not a hacker’s idle development, but the protocol used by the remote control server has design flaws that can achieve self-destruction.

French police controlled these remote servers for analysis and found that these servers had infected a Trojan virus named NESHTA. It is unclear how the controller of this botnet was infected by other viruses.