Recently, the United States Department of Justice (DOJ) announced that it had disrupted the “911 S5” botnet and arrested its creator and administrator, YunHe Wang, a Chinese national, for perpetrating cyber-crimes against US citizens and businesses. The 911 S5 botnet spanned more than 19 million IP addresses, likely making it the largest of its kind. This was a major victory against cybercrime and sends a strong message to those trying to profit from unsuspecting users.
Computers were lured into the network unknowingly when owners installed one of several malicious VPN software packages. Once compromised, Wang sold compute time on these machines to nefarious threat actors looking to commit a variety of crimes ranging from remote attacks to child exploitation, fraud, and even bomb threats. Individuals heavily target state and federal services, defrauding governments of millions of dollars.
What Is a Botnet?
A botnet is a group of computers that have been compromised and are under remote control and management by a malicious threat actor. Small pieces of code are usually installed to allow the threat actor to perform actions remotely. These actions are performed in the background with no visible signs to the unsuspecting user.
The owner of the botnet can put the compromised machines to work on any task they desire from distributed denial of service (DDOS) against a business or government to sending spam, serving malware, or other more nefarious tasks. In the case of 911 S5, Wang rented the access to other cyber criminals for a usage fee, generating millions in revenue.
How Did 911 S5 Spread So Widely?
The 911 S5 botnet spread by enticing unsuspecting users to install the malicious software. In some cases, free software was offered that provided a marginally useful service. In other cases, they sold the software to users, thus profiting off the malware directly. Often, the VPN software was bundled with other software through pay-per-install models. In many cases, it came packaged with pirated versions of otherwise legitimate software.
911 S5 offered various Private Network (VPN) capabilities. Unsuspecting users thought they were adding security by purchasing and installing a VPN service, when in reality, the software was designed to compromise the user’s PC upon install.
Why This Matters
Although the DOJ arrested the owner and took down the centralized command and control infrastructure used to manage all the remote PCs, it had no way to clean the affected machines and remove the malware. Thus, at this moment, there are still nearly 19 million affected systems out there waiting for instructions. If a new threat actor figures out a way to capitalize on this, the machines could very easily be right back in play perpetuating new crimes if they remain infected.
Further, as more details come out about these crimes, others may try to replicate Wang’s model, creating new botnets that are even more devious and better concealed than their 911 S5 predecessor. In effect, 911 S5 could serve as a blueprint for the next generation of botnet designers.
Is My Computer Affected?
The Federal Bureau of Investigation (FBI) published a good article that outlines how to identify and remove remnants of the 911 S5 botnet from your PC. For those looking for a shortcut version or that are daunted by the technical nature, we’ll break it down for you.
The botnet was characterized by 6 different services. The presence of any one of which means you are affected. These services are:
- MaskVPN (mask_svc.exe)
- DewVPN (dew_svc.exe)
- PaladinVPN (pldsvc.exe)
- ProxyGate (proxygate.exe, cloud.exe)
- ShieldVPN (shieldsvc.exe)
- ShineVPN (shsvc.exe)
To check for running services on a Windows PC, press the Control+Alt+Delete keys simultaneously until a popup menu appears and choose Task Manager. Then review the process list for any of the above services. There could be more than one. Kill the process by right clicking and choosing end task.
Also, check the start menu by searching for the above program names. Sometimes an uninstaller may be available. If so, it will appear under the application name on the start menu. You can also check under the Add Remove Programs option on the start menu.
After uninstalling, or if there is no uninstaller, check disk locations such as C:\program files(x86) and C:\users\[Userprofile]\AppData\Roaming for folders with the names of the malicious services. Delete any folders you find with matching names. If you are unable to delete the folder, make sure you have first stopped the running process in the task manager as described above.
How Can I Prevent Future Infections
First, make sure to install a good antivirus program and keep it up to date. On Windows PCs, Microsoft provides Defender for free, which is a reasonable solution for those on a budget. Just make sure it stays up to date to ensure you are protected from the latest threats. Many other free and commercial antivirus programs are also available and most will fit the need for basic protection.
Next, make sure to install security updates and patches to both the operating system and any installed programs on a regular basis. Malicious software like 911 S5 capitalize on known holes created by not patching systems. It’s important to patch regularly, enabling auto-update if possible so you don’t forget. If you can’t handle auto-update, then mark your calendar or schedule your updates to ensure they get applied. These settings for the OS can be found by typing the word update on the start menu and clicking the option that is presented.
Some applications may require individual updates from within the application itself. It’s important to make sure you know how to update both the OS and each installed application to ensure complete protection.
In addition to patching, avoid installing software from sketchy sites. If the deal seems too good to be true, it probably is. There’s no free lunch in the world of software. There will always be hitchhikers along with the intended package, making for unexpected surprises down the road.
Finally, be vigilant about not clicking on browser pop-ups or links in email and spam messages. Often, threat actors will try to get you to install their software by making misleading dialog boxes on web sites or by sending emails designed to confuse or entice you into clicking the link. Don’t click. Just delete the offending message or clear the browser popup by closing the dialog using the X in the top right corner.
How Can Black Kilt Help?
Our security professionals can sweep your business network and scan your affected systems. We can clean and remove 911 S5 and other threats. We can also help design and implement an appropriate security program for your business to prevent these kinds of threats moving forward.
Call today for a free consultation.