Google cleans up after Glupteba malware botnet

Google's Threat Analysis Group (TAG) said it has disrupted the operation of the malicious Glupteba botnet, which infected around a million Windows computers to steal credentials and information, mine cryptocurrency and divert network traffic.

Source: Google

The multi-component Glupteba used to build the botnet is distributed through pay-per-install and traffic distribution system networks, Google said.

Glupteba first appeared on researchers’ malware radar in 2011, and has been actively distributed ever since.

It uses the immutable blockchain distributed database to protect lines of communications between the command and control servers and the botnet these control.

Whenever a command and control server is taken down, Glupteba queries the public blockchain to identify transactions with addresses controlled by the malware operators.

It then decrypts encrypted code contained in the message field of the transaction recorded on the blockchain to get the address of a backup command and control server to replace the one that's been taken down.

This novel use of blockchain is sparking fears that Glupteba cannot be completely eradicated unless its infrastructure using the immutable distributed database is neutralised.

The distribution mechanism for Glupteba included around 63 million Google Docs, 1183 Google accounts, 908 cloud projects and 870 Google Ads, which have now been terminated.

Google TAG was able to capture Glupteba binaries and discovered a Git code repository link in some of them.

This led Google to the Russian individuals that it believes are behind Glupteba, who were selling access to virtual machines with stolen credentials, network proxies and Extracard credit card numbers to be used for serving malicious ads and payment fraud on Google Ads.

Google accused Dimitry Starovikov and Alexander Filippov as being the operators of the botnet and has filed a legal complaint [pdf] against them.

A further 15 unnamed co-defendants are alleged to have joined the two Russian nationals in criminal activities.

Starovikov and Filippov are alleged by Google to have stolen accounts, engaged in credit card and ad fraud, set up network proxies on victims' machines, and engaged in cryptojacking, using the Glupteba malware.