Google has now started taking action against the infamous blockchain-enabled Glupteba botnet. In addition to this, the company has also filed a temporary restraining order and a complaint in the Southern District on New York against two Russians — Dmitry Starovikov and Alexander Filippov and 15 other individuals.
The Glupteba botnet has controlled over one million Windows PCs since 2011, including in the US, India, Brazil, and several other Southeast Asia. The number of infected devices grows by the thousands every day.
As part of their effort to disrupt the botnet, Google has now taken control of Glupteba’s key command and control (C2) infrastructure. However, there’s an additional bitcoin blockchain backup mechanism to help the threat actors regain control of the botnet if the main C2 infrastructure doesn’t respond.
Google pokes the bear
Google’s vice president for security Royal Hansen and General Counsel Halimah DeLaine Prado acknowledged Glupteba’s blockchain-based resilience mechanism will be a problem and is becoming increasingly common among cybercrime organisations.
Since blockchains are decentralised, taking down just the C2 infrastructure isn’t going to stop Glupteba. This infrastructure also helps the botnet recover more quickly, making the overall operation much harder to shut down.
Other than that, the complaint that Google filed claims that the 17 defendants are operating and coordinating Glupteba attacks hoping to steal user credentials and other sensitive information such as credit card details in addition to selling ad placement and proxy access to the infected device and finally, the infected devices were used for crypto mining.
According to Google, “if successful, this action will create real legal liability for the operators”. If Google were suing you on the counts of computer fraud and abuse, trademark infringement and “other claims”, the legal liability would look quite real.
These efforts come just a day after Microsoft’s Digital Crimes Unit (DCU) received a go-ahead from a federal court in Virginia to seize 42 domains used by a Chinese cyber espionage group that the DCU calls “Nickel.”