IPStorm Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 16 Nov 2023 14:41:06 +0000 en-US hourly 1 https://wordpress.org/?v=64289 200474804 IPStorm Botnet Stopped by the FBI, Operator Detained https://gridinsoft.com/blogs/ipstorm-botnet-stopped-fbi/ https://gridinsoft.com/blogs/ipstorm-botnet-stopped-fbi/#respond Thu, 16 Nov 2023 14:35:08 +0000 https://gridinsoft.com/blogs/?p=17724 The FBI has successfully dismantled the notorious IPStorm botnet and apprehended its operator. The operation took place back in September, with the key operator, Sergei Makinin, detained around this time. FBI Dismantles IPStorm Botnet The Federal Bureau of Investigation has successfully suspended the activity of the notorious IPStorm botnet. As a result, they have ended… Continue reading IPStorm Botnet Stopped by the FBI, Operator Detained

The post IPStorm Botnet Stopped by the FBI, Operator Detained appeared first on Gridinsoft Blog.

]]>
The FBI has successfully dismantled the notorious IPStorm botnet and apprehended its operator. The operation took place back in September, with the key operator, Sergei Makinin, detained around this time.

FBI Dismantles IPStorm Botnet

The Federal Bureau of Investigation has successfully suspended the activity of the notorious IPStorm botnet. As a result, they have ended the widespread threat it posed to thousands of infected devices globally. The operator behind this nefarious network, Sergei Makinin, is a Russian and Moldovan national who has been arrested. He later confessed to accumulating over half a million dollars by selling access to compromised devices.

Initiated by Makinin in 2019, the IPStorm botnet boasted a formidable network of over 20,000 infected computers during its lifetime. This illegal infrastructure allowed threat actors to clandestinely route traffic through compromised devices. IPStorm runs on Windows, Linux, Mac, and Android operating systems, effectively evading detection by security measures.

IPStorm Botnet Timeline

As I said above, from June 2019 to December 2022, Makinin developed the IPStorm malware. This malware was designed to spread across devices globally and establish control over the infected electronics, effectively knitting them into a cohesive botnet. The primary objective of this botnet was to convert compromised devices into proxies. It appears that he succeeded in his objective. Makinin facilitated access to these proxies through dedicated websites, proxx.io, and proxx.net, creating a lucrative marketplace for cybercriminals seeking covert and untraceable communication channels.

Statistics by Intenzer
IPStorm botnet samples gathered by Intenzer, that show its starting date

The DoJ elucidated that Makinin offered access to more than 23,000 infected devices, referred to as proxies, charging substantial amounts, often hundreds of dollars per month, for the privilege. The illicit venture proved highly profitable for the operator, with Makinin admitting to amassing at least $550,000 in revenue from renting out the IPStorm botnet. This revelation underscores the financial motivation behind creating and maintaining such sophisticated cyber threats. In a significant development related to the case, Makinin pleaded guilty to seizing control of thousands of electronic devices worldwide and profiting by selling unauthorized access to these compromised systems, according to the US Department of Justice (DoJ).

Legal Actions and Continuing Threats

Although the IPStorm botnet has been taken down, it’s worth noting that the legal efforts didn’t cover the IPStorm malware that still exists on infected devices. Consequently, the malware still threatens compromised systems even though the botnet is now incapacitated. Contrary to one of the previous successful FBI operations against botnets, namely QakBot, they did not command the malware to delete itself from devices.

Either way, the recent target picking strategy of the FBI is obvious. It may sometimes be particularly difficult to behead relatively small and scattered ransomware groups. Meanwhile, humongous botnets that serve ransomware actors and hackers of many other direction are a much easier yet still effective target.

IPStorm Botnet Stopped by the FBI, Operator Detained

The post IPStorm Botnet Stopped by the FBI, Operator Detained appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ipstorm-botnet-stopped-fbi/feed/ 0 17724
P2P botnet Interplanetary Storm accounts more than 9000 devices https://gridinsoft.com/blogs/p2p-botnet-interplanetary-storm-accounts-more-than-9000-devices/ https://gridinsoft.com/blogs/p2p-botnet-interplanetary-storm-accounts-more-than-9000-devices/#respond Mon, 19 Oct 2020 16:45:41 +0000 https://blog.gridinsoft.com/?p=4440 Bitdefender experts gave a detailed description of the work of the P2P botnet Interplanetary Storm (aka IPStorm), which uses infected devices as a proxy. According to researchers, the botnet includes more than 9,000 hosts (according to other sources, the number of infected devices exceeds 13,500), the vast majority of which are running Android, and about… Continue reading P2P botnet Interplanetary Storm accounts more than 9000 devices

The post P2P botnet Interplanetary Storm accounts more than 9000 devices appeared first on Gridinsoft Blog.

]]>
Bitdefender experts gave a detailed description of the work of the P2P botnet Interplanetary Storm (aka IPStorm), which uses infected devices as a proxy.

According to researchers, the botnet includes more than 9,000 hosts (according to other sources, the number of infected devices exceeds 13,500), the vast majority of which are running Android, and about one percent are running Linux and Darwin.

“These are various routers, NAS, UHD receivers, multifunctional boards (for example, Raspberry Pi) and other IoT devices. Most of the infected devices are located in Hong Kong, South Korea and Taiwan”, – said the researchers.

The researchers write that the purpose of the botnet can be guessed by the specialized nodes that are part of the malware’s control infrastructure:

  • a proxy server that pings other nodes to confirm their availability;
  • proxy checking program that connects to the bot’s proxy server;
  • a manager who gives commands for scanning and brute-force;
  • backend interface responsible for hosting Web API;
  • a node that uses cryptographic keys to authenticate other devices and sign authorized messages;
  • node used for development.

Overall, this infrastructure guarantees checking the availability of nodes, connecting to a proxy, hosting a Web API, signing authorized messages, and even testing malware at the development stage, say the researchers.

“This all suggests that the botnet is being used as a proxy network, probably offered as an anonymization service”, — the Bitdefender report says.

Interplanetary Storm is infected through SSH scanning and weak password guessing. The malware itself is written in the Go language, and the report emphasizes that its main functions were written from scratch, and not borrowed from other botnets, as it often happends. In total, the researchers found more than 100 changes in the malware code, therefore, the development of Interplanetary Storm is gaining momentum.

The malware code integrates the implementation of the open source protocols NTP, UPnP and SOCKS5, as well as the lib2p library for implementing peer-to-peer functionality. The malware also uses a lib2p-based networking stack to interact with IPFS.

P2P botnet Interplanetary Storm
Interplanetary Storm scheme

“Compared to other Go malware we’ve analyzed in the past, IPStorm is notable for its complex design of module interactions and the way it uses libp2p constructs. It is clear that the attacker behind this botnet has a good command of Go”, — the experts summarize.

The post P2P botnet Interplanetary Storm accounts more than 9000 devices appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/p2p-botnet-interplanetary-storm-accounts-more-than-9000-devices/feed/ 0 4440
IPStorm botnet now attacks Android, macOS and Linux devices https://gridinsoft.com/blogs/ipstorm-botnet-now-attacks-android-macos-and-linux-devices/ https://gridinsoft.com/blogs/ipstorm-botnet-now-attacks-android-macos-and-linux-devices/#respond Thu, 01 Oct 2020 16:39:01 +0000 https://blog.gridinsoft.com/?p=4354 For the first time, Anomali specialists noticed the IPStorm in June 2019, and then it attacked only Windows machines. Now it began to attack devices on Android, macOS and Linux. Previously, the botnet included about 3,000 infected systems, but even then the researchers discovered several strange and interesting features that were unique to IPStorm. For… Continue reading IPStorm botnet now attacks Android, macOS and Linux devices

The post IPStorm botnet now attacks Android, macOS and Linux devices appeared first on Gridinsoft Blog.

]]>
For the first time, Anomali specialists noticed the IPStorm in June 2019, and then it attacked only Windows machines. Now it began to attack devices on Android, macOS and Linux.

Previously, the botnet included about 3,000 infected systems, but even then the researchers discovered several strange and interesting features that were unique to IPStorm.

For example, the full name of the malware – InterPlanetary Storm – comes from the InterPlanetary File System (IPFS), a P2P protocol that malware used to communicate with infected systems and transmit commands.

“In addition, IPStorm was written in the Go language, and although no one is surprised with malware in this language, in 2019 this was not so widespread, which made IPStorm a rather exotic and interesting piece of malware”, — told Anomali researchers.

Interestingly, Anomali’s 2019 report did not explain how the malware spreads. At that time, some researchers hoped that IPStorm would turn out to be someone’s experiment with IPFS and would not receive full development.

Unfortunately, these hopes could not come true.

In recent reports published by experts Bitdefender and Barracuda, it is said have been discovered the new versions of IPStorm that can infect devices running Android, macOS and Linux. Experts also figured out how the botnet was spreading, refuting the theory that it was just someone’s experiment. Even worse, the number of infected machines has already increased to 13,500 hosts.

“The botnet attacks and infects Android devices by scanning the Internet for devices with an open ADB (Android Debug Bridge) port. In turn, devices running Linux and macOS are compromised through dictionary attacks on SSH, that is, attackers simply brute force a username and password”, – inform the researchers.

After IPStorm infiltrates devices, the malware checks for honeypot software, attaches itself to the system, and then eliminates a number of processes that could pose a threat to its operation.

Although the botnet has been active for over a year, researchers still have not figured out what is the ultimate goal of IPStorm operators. The fact is that IPStorm installs a reverse shell on all infected devices, but then leaves the systems alone.

In theory, this backdoor can be used in many ways, but so far IPStorm operators do not use it at all, although they could install miners on infected devices, use them as proxies, organize DDoS attacks, or simply sell access to infected systems.

I love botnets and I am happy to talk about them, for example about the Prometheus botnet or the Dracula propaganda botnet, but the coolest is still the Cereals botnet, which for eight years is existed for only one purpose: it downloaded anime.

The post IPStorm botnet now attacks Android, macOS and Linux devices appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ipstorm-botnet-now-attacks-android-macos-and-linux-devices/feed/ 0 4354