Google representatives said that they stopped the work of the Glupteba botnet: they deleted the accounts, and also disabled the servers and domains associated with it. In addition, the company has filed a lawsuit against the Russians Dmitry Starovikov and Alexander Filippov, which are accused of creating and operating a botnet.
According to an expert report, Google removed about 63 million files from Google Docs, which Glupteba operators used to distribute their malware, as well as 1183 Google accounts, 908 cloud projects and 870 Google Ads accounts, which hackers also used to host various parts of their botnet.
In addition, over the past few days, Google has been working with several hosters and internet infrastructure companies (such as Cloudflare) to work out the issue of shutting down Glupteba’s C&C servers.
Unfortunately, the company admits that this operation will only cause temporary problems in the operation of the botnet, since the malware was originally created with a backup C&C system that runs on top of the Bitcoin blockchain. However, Google hopes that Glupteba will reduce its activity for at least a few months.
The Glupteba botnet was first documented in an ESET report back in 2011. Today it is one of the oldest botnets in the world, which attacks users in the United States, India, Brazil and Southeast Asia.
On compromised machines, Glupteba steals credentials and cookies, mines cryptocurrency, and deploys and exploits proxy components targeting Windows systems and IoT devices.
One of the most famous botnet modules is capable of spreading infection from a Windows computer to MikroTik routers found on internal networks. It is believed that this particular module was used at the beginning of this year to build the Mēris botnet, responsible for some of the largest DDoS attacks to date.
In addition to creating technical problems for the work of Glupteba, Google experts say that they have managed to identify two Russian citizens who are associated with some of the deactivated domains and accounts.
In court documents, Google claims that Dmitry Starovikov and Alexander Filippov are the creators and operators of Glupteba, and another 15 unknown persons are their accomplices. According to the company, they operated several sites where they advertised the capabilities of their botnet. For example, dont.farm, where they sold access to hacked Google and Facebook ad accounts. It is believed that the hackers obtained the credentials for these accounts through their botnet and later sold the access to other attackers.
Moreover, Google believes that this is all just part of Glupteba, a larger “criminal enterprise”, which also included the management of AWMProxy.net (later vd.net) and abm.net. These resources made it possible to rent access to proxies hosted on the computers of Glupteba victims.
As part of its lawsuit, Google is seeking compensation for the damages, an injunction against two suspects barring them from interacting with any Google services, and an order that the creators of Glupteba violated a number of US laws: the Racketeers and Corrupt Organizations Act (RICO), the Computer fraud and abuse, the Electronic Communications Privacy Act, the Lanham Act (Federal Trademark Act of 1946), and engaged in improper business interference to obtain illicit enrichment.
Let me remind you that I also wrote that the US authorities accused the Ukrainian citizen of running a brute force botnet.