Victory or invasion of privacy? Bot-net takedowns - Qakbot
In the last week we saw much fanfare surrounding the news that the FBI had taken down the Qakbot bot-net and I wanted to dive into their actions and give you my thoughts – but before I do that, let’s talk a bit about Qakbot itself.
Qakbot, Qbot, Pinkslipbot
If you haven’t read much about it, you might think that Qakbot is a new malware upstart that recently appeared, but in fact it dates to at least 2009 (with some sources suggesting 2007) making it now well over a decade old. Think of all the things Qakbot has seen!
There have been hundreds of articles written about Qakbot over the years – the Fraunhofer Institute has a great index of them going back to 2009 – and like many malware families, Qakbot has been busily evolving for all of those years.
Back in 2009 or so, Qakbot was reported as a largely benign (meaning it did not actively cause damage) malware that would be dropped initially via drive-by download with the aim of syphoning credentials and spreading within a target network via network shares, back-dooring each infected machine and communicating back to centralized Command-and-Control (C2) systems.
By the time we get to 2023 what we have is a botnet driven by a multi-layered C2 network with some bots elevated to C2 status being intermediaries between worker bots and the tier-2 C2 servers directly controlled by the botmasters, where the worker bots are primarily distributed via phishing email campaigns (perhaps as a testament to how many browser vulnerabilities have been fixed, leaving fewer avenues for drive-by downloads)
The takedown
As the FBI themselves announced and others like Brian Krebs have commented on, the US Department of Justice and FBI worked together to secure court orders empowering them to gain “lawful access” to some 700,000 systems world-wide, redirect traffic to FBI controlled systems and use the FBI C2 systems to, essentially, instruct Qakbot to self-destruct.
A first?
Given the fanfare you might think this is the first time we’ve seen the FBI render malware inert, but that couldn’t be farther from the truth. In fact, back in May the DOJ was busily disabling Snake-infested machines worldwide and back in 2019 the French authorities, along with the FBI, were disinfecting and dismantling the RETADUP botnet – if you dig hard enough, these aren’t the only examples of international cooperation in the name of removing malware from target systems and dismantling C2 infrastructure, and a common thread in all of those is usually the reverse engineering of the C2 protocol and then subverting that system to remotely disable and/or uninstall the malware.
How does that make you feel?
Every time I read one of these articles my first visceral reaction is that this feels like an invasion of privacy. That some intelligence agency could be fishing around in my computer makes me feel distinctly uneasy and like I’ve been violated somehow.. but the truth is, if I found myself in the position of having malware removed by the FBI, DOJ, National Gendarmerie or GCHQ, someone else had already violated my privacy with malicious intent, so am I really any worse off?
These agencies no doubt have a very fine line to tread, especially operating across international borders, and sooner or later it seems likely they will step on the wrong set of toes and someone is going to try and legislate an end to this kind of thing – I mean, the FBI & DOJ may say they have a warrant to “lawfully access” systems, but what happens if & when one of those systems turns out to be in the wrong jurisdiction and the local intelligence service happens to be large, loud and powerful enough to raise a meaningful objection?
But until that happens, I think I am OK with it, at least on a personal level. Given the opportunity I would rather someone take action to protect me and secure my data rather than try and contact me (which for the average machine is likely to be close to impossible, or at least very time consuming) and let me know how to disinfect myself, meanwhile the attacker is busily syphoning my data (or worse).
Of course the best way to ensure you are never in that position is to do your best to ensure you aren’t infected in the first place - practice good security, be suspicious of emails (especially those with attachments), browse safely, ensure sessions are closed to and sensitive systems logged out from before browsing the Internet at large and so on; if you’re a network or systems administrator, ensure you have visibility into what is happening within your environment (especially suspicious file access and logins) and what is traversing your network, that your management systems are not exposed to the internet and so on. Nothing is perfect, but every step you take raises the bar just a little for the attacker – and let’s be real here; your bar need only be higher than the next target.
So – how do you feel about the take-down? I’d love to hear about it in the comments!