Posted by John P. Mello, Jr.
Apr 27, 2021 4:00 AM PT
The notorious Emotet botnet on Sunday began self-installing from about a million computers.
In accordance with SecurityWeekThe removal team was part of an update sent to infected computers by law enforcement servers in the Netherlands after Emotet’s infrastructure was hacked in January during a multinational operation organized by eight countries.
The poisoned update cleans up the Windows registry key, which allows the botnet modules to start automatically, as well as stop and remove associated services.
“The threat posed by Emotet was neutralized by the takeover of the entire network infrastructure by law enforcement agencies in January last year,” explained Jean-Jan Boutin, head of the company’s threat research department. Eset, an information security company based in Bratislava, Slovak Republic.
“Our ongoing monitoring by Emotet shows that the operation was successful,” he told TechNewsWorld.
“On Sunday, a procedure was activated to clean up compromised systems connected to infrastructure controlled by law enforcement agencies,” he continued. “The update removes Emotet’s resiliency mechanisms, effectively preventing threats from reaching any C&C servers in the future.”
According to the US Department of Justice, Emotet infected 1.6 million computers worldwide from April 1, 2020 to January 17, 2021, and caused millions of dollars in damage to victims worldwide.
The US Cybersecurity and Infrastructure Agency estimates that treating an Emotet infestation costs local, state, tribal and territorial governments up to $ 1 million per incident.
Machines are still in danger
Although Emotet has been neutralized, the vehicles infected by it remain in danger.
“Emotet itself has not been known for a lot of malicious behavior, especially in its latest versions,” said Chet Wisniewski, the company’s chief scientist. Sofos, a network security and threat management company based in the UK.
“He was known for bringing other malicious software with him, which was probably done before the police took over the command and control infrastructure,” he told TechNewsWorld. “Removing it will not affect other malware it may have brought with it.”
Butin noted that over the past two years, Emotet has been actively distributing at least six different families of malware: Ursnif, Trickbot, Qbot, Nymaim, Iceid, and Gootkit.
“Once installed, the malware families operate independently of Emotet,” he said. “Hence, both must be destroyed to keep the system free of malware.”
“The gap between the removal of the network infrastructure and Sunday’s cleanup operation should have allowed affected organizations to find these different families of malware and take the necessary steps to clean up their network,” he explained.
Deactivating Emotet can be seen as the first step in restoring these machines, but it is far from the only step, ”added Christopher Fielder, director of product marketing for the company. Arctic wolf, a manufacturer of SIEM cloud software.
“These machines should still be considered compromised and evaluated using an effective incident response plan,” he told TechNewsWorld.
It is unclear whether owners of infected machines are being notified of the possibility of further infection, said Dirk Schrader, the company’s global vice president. New network technologies, Naples, Florida, provider of IT security and compliance software.
“It would certainly be helpful to alert the system owner that further forensic analysis is needed,” he said.
Keeping Emotet out of sight of threats is a great achievement, Wisniewski said. “It was one of the most dangerous and pervasive email threats in the world,” he said.
“I think the initial liquidation and acquisition of the command infrastructure was fantastic and we would like to see more,” he added.
“This last action, however, does not seem so useful and is more of a PR stunt than anything that can protect the public,” Wisniewski said.
“Removal is very important,” added Vinay Pidatala, director of security research at the company. Menlo security, a cybersecurity company based in Mountain View, California.
He noted that among the global customer base, Menlo Security Emotet was the main malware it protected customers from in 2020.
“Emotet has also been responsible for a lot of ransomware infections, so moving away from such a widespread malware distribution platform is good for the Internet,” he added.
As gratifying as the destruction of Emotet is, the chaos it has wrought across countless networks over seven years is alarming, said Hitish Sheth, president and CEO of the company. Vectra AI, an automated threat management solution provider based in San Jose, California.
“We must strive to increase international cybersecurity cooperation and response times,” he told TechNewsWorld.
“None of us know how many of Emotet’s malware cousins are doing more damage right now,” he said, “but if it takes seven years to neutralize each one, we will remain in a protracted crisis.”
One of the reasons the Emotet took so long was the complexity of its network infrastructure.
“Thanks to our long-term tracking of the botnet, we have identified hundreds of C&C servers, organized at different levels and scattered around the world,” explained Butin. “For the operation to be successful, all these C&C servers had to be shut down at the same time, which was a very difficult task.”
Security experts generally praised law enforcement for destroying Emotet, although some were concerned about the move.
“I believe destruction is critical, and law enforcement is important in order to be able to accelerate as well as allocate the necessary amount of resources for large-scale events. These actions are highly commendable, ”said Pidatala.
Butin noted that the removal was not limited to shutting down the botnet infrastructure, but went further and arrested persons suspected of involvement in Emotet.
“Hitting the uninstall procedure on infected systems was the icing on the cake,” he said. “I hope this action serves as a reference and makes future removal operations easier and more efficient.”
However, Austin Merritt, a cyber threat analyst at Digital shadows, a San Francisco-based digital risk protection solutions provider, noted the deletion could cause some privacy concerns.
“People targeted by Emotet may be concerned that FBI involvement could allow them to indiscriminately sneak into victims’ computers and see what’s there,” he told TechNewsWorld. “Consequently, there may be fears that law enforcement agencies will receive non-public information from them.”
While automatic malware removal seems like a great response to these infections, especially in large deployments like Emotet, there are some ethical issues with this approach, added Erich Krohn, security awareness advocate at KnowBe4, a provider of safety training in Clearwater, Florida.
“Part of the problem is that law enforcement is actively deleting files from private devices,” he told TechNewsWorld. “Even with the best of intentions, this can be a problem.”
He explained that coding errors could potentially lead to disruptions and loss of revenue or services in the future when automated malware removal is performed.
“Also,” continued Cron, “there may be no notification for the affected organizations. This can be an issue if the automatic deletion process occurs at the same time that device administrators are collecting forensic data or removing malware themselves. … Without coordination, this can become a major problem for the organization. “
“This trend, while beneficial in the short term, is a topic that should be discussed further in the cybersecurity industry, with a focus on how to manage notifications for those whose devices have been changed, manage oversight, and perhaps the ability to opt out of all these law enforcement actions. bodies, “he added.