Highlights

  • Google has removed accounts and taken down servers and domains operated by the Glupteba malware botnet.
  • Disruption to the Glupbeta botnet seems to be temporary, according to Google.
  • Gluptecba botnet makes use of blockchain to defend itself.

Google announced that it has filed a lawsuit against a Russian-based sophisticated “multi-component” botnet called Glupteba, which defends itself using blockchain and typically targets Windows devices. According to Google’s investigation, the Glupteba botnet has so far infected approximately one million Windows machines worldwide. Its command-and-control server addresses have been saved on Bitcoin’s blockchain as a resilience mechanism. The botnet can even grow at the rate of thousands of new devices per day.

According to Google, Glupteba is notorious for stealing credentials and data, mining cryptocurrency on infected devices, and setting up proxies to funnel other people’s Internet traffic through compromised machines and routers.

The tech company has also launched litigation as it believes it will set a precedent and create legal liability for other botnet operators. Google has sought legal action against the botnet due to its complex design and recent advancements made by the botnet operators to maintain and scale its operations. The tech giant believes that legal action will make it more difficult for organizers to exploit potential victims. It is strongly believed that Glupteba’s operators are Russia-based.

Essentially, Glupteba is a dropper and boasts of an extensive backdoor functionality that keeps it hidden and out of sight. There are two ways to install the malware: Either through pay-per-install networks or via traffic purchased from traffic distribution systems.

Google’s Threat Analysis Group (TAG) found a specific git repository URL repeated in Glupteba binaries and, thus, concluded that it can identify online services being peddled by its operators. Up for purchase were access to virtual machines with stolen credentials, proxy access, and credit card numbers for use serving malicious ads or payment fraud.

With reference to the technical action taken, the TAG team said in a blog that 63 million Google Docs, 1,183 Google accounts, 908 cloud projects, 870 Google ads associated with the malware had been terminated, It further said that 3.5 million users who were wanting to download malicious files were warned to not proceed with the same. Industry partners like CloudFlare took down infected servers and replaced them with interstitial warning pages.

Expert Take

“We have now disrupted key command and control infrastructure, so those operating Glupteba should no longer have control of their botnet — for now,” wrote Royal Hansen, Vice President of Security, and Halimah DeLaine Prado, General Counsel.

“Botnets are a real threat to internet users, and require the efforts of industry and law enforcement to deter them,” wrote Google’s vice president of security, Royal Hansen, and general counsel Halimah DeLaine Prado.

“Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers,” said Prado and Hansen.

“The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shut down,” said Hansen and Prado, adding that such cybercrime was becoming more commonplace due to its resiliency.