This is huge. Yesterday The Register published an article [1] mentioning that Qakbot was responsible for 30% of recorded intrusion attempts since the start of 2023.<p>[1]: <a href="https://www.theregister.com/2023/08/28/top_malware_loaders/" rel="nofollow noreferrer">https://www.theregister.com/2023/08/28/top_malware_loaders/</a>
"To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file. This uninstaller—created to remove the Qakbot malware—untethered infected computers from the botnet and prevented the installation of any additional malware. "<p>That's pretty sweet that they healed hundreds of thousands of computers
The warrant application is one of the coolest, cyberpunk, warrants I've read in my lifetime: <a href="https://www.justice.gov/d9/2023-08/23mj4244_application_redacted.pdf" rel="nofollow noreferrer">https://www.justice.gov/d9/2023-08/23mj4244_application_reda...</a><p>Feels like one of those "in world messages" you find in games like Cyberpunk 2077. Could have been written by NetWatch.<p>We live in amazing times.
Qbot/Qakbot/Pinkslip/Whateveritsnowcalled has been morphing since the very beginning, 2007/08:<p><a href="https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/qakbot" rel="nofollow noreferrer">https://www.blackberry.com/us/en/solutions/endpoint-security...</a><p><a href="https://www.youtube.com/watch?v=DN9m27nhA00">https://www.youtube.com/watch?v=DN9m27nhA00</a><p><a href="https://en.wikipedia.org/wiki/BASHLITE" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/BASHLITE</a>
If it's really finally fully down that's great, but it took forever and replacements can be churned out and new networks grown in a very short amount of time.<p>I'm glad the FBI invested 15+ years and who knows how much money to rid the world of QBot, but this isn't a scalable solution to the botnet problem.
Some more technical details on what we observed here.
<a href="https://www.secureworks.com/blog/law-enforcement-takes-down-qakbot" rel="nofollow noreferrer">https://www.secureworks.com/blog/law-enforcement-takes-down-...</a><p><a href="https://www.secureworks.com/blog/qakbot-campaign-delivered-black-basta-ransomware" rel="nofollow noreferrer">https://www.secureworks.com/blog/qakbot-campaign-delivered-b...</a>
I wouldn't make a big deal out of this, unlike worms, "bots" like this will come back after weeks/months because of the number of people involved and the spread of the malware "kit" (including server side stuff). They are constantly adapting anyways, there isn't a fixed set if domains and IPs you can block to stop it permanently.<p>They took down emotet as well but it's had a resurgence.<p>Qakbot in recent years has shifted to a initial access broker monetization scheme where it sells access (cobaltrsike,etc...) to more serious actors who will pay the access fee instead of hiring talent themselves to do the hacking. So they have a strong community of customers. They will need to arrest a lot of people at once and hope they got all the people needed to revive it.
Two questions:<p>1. if someone installed Qakbot willingly, does the warrant apply (the warrant has what looks to me like specific language limiting it to unaware victim’s machines)?<p>2. if the FBI’s justice.exe damaged data on a victim machine because of an unexpected configuration, are they liable for damages?
Cool use of the botnet's capabilities against itself<p>But no arrests announced? I wish the people responsible for this were made an example of, as opposed to being basically free to start over (it seems).
> To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file. This uninstaller—created to remove the Qakbot malware—untethered infected computers from the botnet and prevented the installation of any additional malware.<p>So the FBI used unauthorized access to the computers to uninstall the malware? Scary if you think about it. I'm sure they could have used that access any way they wanted.