Victory or invasion of privacy? Bot-net takedowns - Qakbot

In the last week we saw much fanfare surrounding the news that the FBI had taken down the Qakbot bot-net and I wanted to dive into their actions and give you my thoughts – but before I do that, let’s talk a bit about Qakbot itself.

Qakbot, Qbot, Pinkslipbot

If you haven’t read much about it, you might think that Qakbot is a new malware upstart that recently appeared, but in fact it dates to at least 2009 (with some sources suggesting 2007) making it now well over a decade old. Think of all the things Qakbot has seen!

There have been hundreds of articles written about Qakbot over the years – the Fraunhofer Institute has a great index of them going back to 2009 – and like many malware families, Qakbot has been busily evolving for all of those years.

Back in 2009 or so, Qakbot was reported as a largely benign (meaning it did not actively cause damage) malware that would be dropped initially via drive-by download with the aim of syphoning credentials and spreading within a target network via network shares, back-dooring each infected machine and communicating back to centralized Command-and-Control (C2) systems.

By the time we get to 2023 what we have is a botnet driven by a multi-layered C2 network with some bots elevated to C2 status being intermediaries between worker bots and the tier-2 C2 servers directly controlled by the botmasters, where the worker bots are primarily distributed via phishing email campaigns (perhaps as a testament to how many browser vulnerabilities have been fixed, leaving fewer avenues for drive-by downloads)

The takedown

As the FBI themselves announced and others like Brian Krebs have commented on, the US Department of Justice and FBI worked together to secure court orders empowering them to gain “lawful access” to some 700,000 systems world-wide, redirect traffic to FBI controlled systems and use the FBI C2 systems to, essentially, instruct Qakbot to self-destruct.

A first?

Given the fanfare you might think this is the first time we’ve seen the FBI render malware inert, but that couldn’t be farther from the truth. In fact, back in May the DOJ was busily disabling Snake-infested machines worldwide and back in 2019 the French authorities, along with the FBI, were disinfecting and dismantling the RETADUP botnet – if you dig hard enough, these aren’t the only examples of international cooperation in the name of removing malware from target systems and dismantling C2 infrastructure, and a common thread in all of those is usually the reverse engineering of the C2 protocol and then subverting that system to remotely disable and/or uninstall the malware.

How does that make you feel?

Every time I read one of these articles my first visceral reaction is that this feels like an invasion of privacy. That some intelligence agency could be fishing around in my computer makes me feel distinctly uneasy and like I’ve been violated somehow.. but the truth is, if I found myself in the position of having malware removed by the FBI, DOJ, National Gendarmerie or GCHQ, someone else had already violated my privacy with malicious intent, so am I really any worse off?

These agencies no doubt have a very fine line to tread, especially operating across international borders, and sooner or later it seems likely they will step on the wrong set of toes and someone is going to try and legislate an end to this kind of thing – I mean, the FBI & DOJ may say they have a warrant to “lawfully access” systems, but what happens if & when one of those systems turns out to be in the wrong jurisdiction and the local intelligence service happens to be large, loud and powerful enough to raise a meaningful objection?

But until that happens, I think I am OK with it, at least on a personal level. Given the opportunity I would rather someone take action to protect me and secure my data rather than try and contact me (which for the average machine is likely to be close to impossible, or at least very time consuming) and let me know how to disinfect myself, meanwhile the attacker is busily syphoning my data (or worse).

Of course the best way to ensure you are never in that position is to do your best to ensure you aren’t infected in the first place - practice good security, be suspicious of emails (especially those with attachments), browse safely, ensure sessions are closed to and sensitive systems logged out from before browsing the Internet at large and so on; if you’re a network or systems administrator, ensure you have visibility into what is happening within your environment (especially suspicious file access and logins) and what is traversing your network, that your management systems are not exposed to the internet and so on. Nothing is perfect, but every step you take raises the bar just a little for the attacker – and let’s be real here; your bar need only be higher than the next target.

 

So – how do you feel about the take-down? I’d love to hear about it in the comments!

Updated Sep 12, 2023
Version 2.0
  • "I mean, the FBI & DOJ may say they have a warrant to “lawfully access” systems, but what happens if & when one of those systems turns out to be in the wrong jurisdiction and the local intelligence service happens to be large, loud and powerful enough to raise a meaningful objection?"

    Given the typical attitude of US government agencies, they'll say "Tough luck, suck it up" and ignore any attempt under international law to stop such efforts.  The US has a history of ignoring international courts when they're being 'inconvenient'.

    But what would surely be a lot more noisy is if Russia, or, perhaps more likely, China, started doing something similar 'for the good of the Internet' - to machines in the US.  I expect US politicians would absolutely lose their minds over that, just look at the kind of idiotic hysteria they're displaying over TikTok.  Because when the US does it, it is altrusism, but if anyone we don't like does exactly the same thing it is surely insidious.

    I might just be cynical.

  • Wholeheartedly understand and at least partially concur with your cynicism MegaZone. It would probably be foolish to remain naive about goals and intentions.
    This feels like a slippery slope of all the bad things we were warned about in 1984, Gattaca, BladeRunner, and any other dystopian future state we tend to say we don't want to be a part of.

    A less-cynical side of me wants to believe there is *at least* a thin veneer of checks and balances in law agencies where more than 1 person gets to make the decision...but most of that is held together with norms and good-faith and that all seems to break down pretty quickly when the rubber meets the road. I guess - to avoid most of this the systems in question (all of them) simply have to be conceived and built (or retroactively hardened) in a way that treats security as "built-in".

    The SIRT team has said this more ways than I can count. 😄

    I suppose it's not easy but is there a day, in the future, that all the technologists look back on this period in our history and wonder how we got anything done? Like many of us take emergency services for granted, or building codes, or paved roads: one can't simply build something big anymore without (usually) passing through all the gates of control that came from the mistakes & learning that came before.
    Maybe that can be a huge, counter-intuitive, benefit of AI to the next generation of engineers - taking some of the drudgery out of security concerns up front and eventually hardening things first (rather than invading privacy later). 

    Thanks for the article AaronJB.