back to article FBI deletes web shells from hundreds of compromised Microsoft Exchange servers before alerting admins

The FBI deleted web shells installed by criminals on hundreds of Microsoft Exchange servers across the United States, it was revealed on Tuesday. The Feds were given approval by the courts to carry out the deletions, which occurred without first warning the servers' owners, following the discovery and exploitation of critical …

  1. sreynolds

    Dangerous precedent.

    What next? Did they have a captain cook at the email too? Maybe looking for some incriminating metadata. If you go through those email systems there is a lot of stuff there like drug testing reports, pricing info that you really want to be kept private.

    1. jake Silver badge

      Re: Dangerous precedent.

      "Did they have a captain cook at the email too?"

      Of course they did. It's what they do. They will no doubt lie and claim otherwise, but what moron would believe them?

    2. jgard

      Re: Dangerous precedent.

      Didn't we get rid of the dangerous one in January?

    3. Anonymous Coward
      Anonymous Coward

      Re: Dangerous precedent.

      I think the FBI should have phoned all of the affected users.

      "Good morning, this is Jim from the FBI, and we found some malware installed on one of your servers. We are offering a free patching service to everyone affected. If you would like us to proceed, just start up TeamViewer and enter this code."

    4. bombastic bob Silver badge
      Pirate

      Re: Dangerous precedent.

      Not as dangerous as you might think. A court had to approve it, with a paper trail of people and agencies to file lawsuits against, in case something went horribly wrong.

      Back during the 'Code Red' infection, the malware resided in memory but not on disk, yet it opened up a CMD shell accessible via a listening TCP port. So if someone (nobody I know of course) were to get an infection attempt from "some IP address", that person could have written a bot (but nobody did this, it's probably not legal) to use the CMD back door to shut down the web server and make the virus go away. Of course the machine would get infected again as soon as one of the many code red bots detected it, so the only REAL fix was to patch or shut off the web server.

      Similarly here, except the FBI got court approval first and apparently had a list of IP addresses to work with already (a court would require this).

    5. Michael Wojcik Silver badge

      Re: Dangerous precedent.

      I'm not complacent about this action, but it's significant that they did get a warrant – so they had legal authorization and satisfied the Fourth Amendment requirement – and they only got into the servers because malware was already installed on them, which means those sensitive documents were likely already in someone else's hands anyway.

  2. amanfromMars 1 Silver badge

    Now you know you can blame the FBI if similar things go TITSUP in the future? *

    The government knows best and we work for you. In ye olde days, there were book burnings to try to wrest command and control back from the starved of information and advanced intelligence masses to a self chosen almighty vulnerable few.

    * Well, of course you can, and why wouldn't you whenever you know they are capable of looking out for you so diligently, and are enabled by approval to be able to act autonomously on your behalf. Quite whether you would agree and accept that as a good thing in their remit is a whole other different matter.

    Methinks that sort of little leak is the fatal vital straw that causes the hoovering dams to burst.

    1. Phil O'Sophical Silver badge

      Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

      act autonomously on your behalf

      Government ≠ courts. The FBI got court permission, essentially a warrant, first. That's surely a good thing?

      1. jake Silver badge

        Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

        Since when did the FBI give a shit about the precise details listed on warrants? They found an excuse to convince a Judge to let them in, the Judge agreed, they went in, took copies, poked around to see how much more than the email system they could access, made copies of all that, and then fixed the bug. The only question remaining is did they leave behind another, more private, backdoor in some or all of the affected servers? Perhaps turn back on the disabled Intel Management Engine on select systems?[0] It's kind of what they do, after all ...

        [0] When was the last time you checked the status of yours?

        1. John Brown (no body) Silver badge

          Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

          "and then fixed the bug"

          Clearly you didn't bother the read the article. Not only is most of what you state as fact merely assertion on your part, but the bit quoted above is specifically mentioned in the article to NOT have been done. The "bug" is still there, the servers are still vulnerable. The feds only removed the infection.

        2. whitepines
          Happy

          Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

          [0] When was the last time you checked the status of yours?

          My Blackbird desktop doesn't have a Management Engine. It also doesn't run Windows or commercial games [1].

          Such a nice feeling though, not having a known backdoor.

          [1] I have another computer for the few games worth playing these days. As far as its Management Engine is concerned, "gamer1" only visits Steam forums and the like.

      2. Cynic_999 Silver badge

        Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

        Warrant hearings are before magistrates with only the applicant being present (so nobody to argue against issuing the warrant). The applications frequently misrepresent the facts, exaggerate and are very selective in the information provided.

        1. Eclectic Man Silver badge

          Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

          For some applications for warrants in the UK, magistrates courts are used, but often the applications are, or were, on paper, and the magistrates have so many to sign that they often do not read each one*. Higher courts can also issue warrants, and I suspect that in the USA, an application for a warrant to delete malware from privately owned computers without the owners' knowledge would have to be provided by a senior judge, particularly if it applied over several states.

          I do wonder, however, what evidence the FBI said they would use to ensure they were only accessing the correct computer systems, and what records they kept of the justifications for each system and what they actually did. I suspect that the System Administrators of the affected systems would be most interested to know. Off course, it could be covered by the MS licence agreement small print, after all, who reads that?

          *A family member was a lay magistrate and was often confronted with a pile of warrant applications from the police to sign quickly when she turned up on a Monday morning.

      3. Anonymous Coward
        Anonymous Coward

        Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

        This time...

      4. Michael Wojcik Silver badge

        Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

        Not "essentially a warrant" – it was a warrant. It's unsealed now and mostly redacted; the article contains a link to the FBI announcement, and the announcement has a link to download the unsealing order and the related documents. They're right there to be read.

        The warrant is pretty specific. It was signed by Magistrate Judge Peter Bray of the US District Court, Southern Texas. FWIW, Bray has an engineering degree, and he was a Public Defender for 14 years.

        The warrant says it was requested by telephone, and it was issued the day it was requested, so it's not like Bray spent a lot of time agonizing over it. But I don't see any grounds for claiming it was just rubber-stamped.

        (I know. What kind of a nerd does actual research before commenting?)

  3. Imhotep Silver badge

    FTFY

    This is the first time I've ever heard of this type of action by the federal government. I'm not sure why this was done secretly, not even notifying at least the website owners ahead of time.

    It would be interesting to hear more on why the FBI thought the action justified: the article seems to imply that it might be under national security purposes?

    1. the hatter

      Re: FTFY

      I can't say for sure, but sounds like they removed the shells and possibly notified the companies at the same time/shortly after (likely with a demand for secrecy). Just that the sealed order has now been unsealed, giving all the cleaned and warned parties a tiny fighting chance to sort themselves in the meantime.

      1. Michael Wojcik Silver badge

        Re: FTFY

        Issued on the 9th, unsealed on the 13th. It's not like they kept it a secret for long. It's not out of the question that they kept it sealed to avoid tipping off Hafnium and others who might still be using those web shells.

  4. Winkypop Silver badge
    Black Helicopters

    Don't mind us

    Just playing through....

    1. TimMaher Silver badge
      Alert

      Fore!

      Seriously though.. A South Texas attorney?

      Was this approved by a state judge and therefore were all of the servers in Texas?

      Federal court anyone? Who has jurisdiction outside of the state?

      1. bombastic bob Silver badge
        Devil

        Re: Fore!

        A South Texas attorney?

        As long as an attorney is able to argue cases in Federal court (passed whatever bar exams, etc.), that should be fine, yeah. It's also possible that the FBI hired a private attorney, or has a law firm under contract. This would not be unusual, really. However you would normally expect a government attorney to argue such cases.

      2. jfm

        Re: Fore!

        The US Attorney for South Texas—the senior lawyer for the federal government in the South Texas federal court district. Acting in that role, granted, but hardly a random South Texas lawyer.

      3. Michael Wojcik Silver badge

        Re: Fore!

        Was this approved by a state judge and therefore were all of the servers in Texas?

        No. Seriously, the answer to this question is right in the links in the article. You can't take a few minutes to check?

        I admit the phrasing in the article is ambiguous: "The action was OK'd ... by a Texas court" is true, in the sense the court is in Texas, but it's not a court of the State of Texas. It's the US District Court for the Southern District of Texas. The servers were in several states. From the warrant application:

        19. The presumptively U.S.-based Microsoft Exchange Servers, corresponding to the approximately web shells in Attachment A appear to be located in five or more judicial districts, according to publicly available Whois records and IP address geolocation. These districts include, but are not limited to, the following: Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District of Idaho, Western District of Louisiana, Northern District of Iowa and Northern District of Georgia.

  5. Anonymous Coward
    Anonymous Coward

    "Don't worry about security, the government will cover for us if we fuck it up"

    I wonder how much Microsoft paid the feds for their services here? I don't see any mention of that. In fact, the article comes across like they didn't pay and are effectively using the gubmint as a free security / triage / mitigation tream.

    I'll have to talk to some of the small businesses I work with. They'll be thrilled to be able to call the gubmint to have their virus scans done for free. They're always complaining about how I expect to be paid for services like that.

    1. AdmFubar

      Re: "Don't worry about security, the government will cover for us if we fuck it up"

      Try the other way around,... sure microsoft we'll take care of this lil issue for us... here is some tax dollars, let us into these servers... never mind that we will rummage around/plant "evidence" to make us look good..

    2. sabroni Silver badge

      Re: I wonder how much Microsoft paid the feds for their services here?

      Claims that the FBI are behind it: https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft

      1. Michael Wojcik Silver badge

        Re: I wonder how much Microsoft paid the feds for their services here?

        Claims? The warrant application is mostly an affidavit from an FBI Special Agent, name redacted. It was absolutely a request from the FBI.

  6. JWLong Bronze badge

    Out with the old, in with the new

    Sounds like a bunch of old NSA backdoors got discovered and now they need the Feds to go around and plant new, unknown ones to maintain their status quo.

    Even the courts are in on it now.

    The status quo has just shifted and it's not in a better direction.

    1. Anonymous Coward
      Anonymous Coward

      Re: Out with the old, in with the new

      As in most countries, the biggest Criminals are the Government & their friends.

      1. JWLong Bronze badge

        Re: Out with the old, in with the new

        Life is getting to be a hard road to travel anymore.

        Ah yes, the last miles are always the longest. Guess I'll just keep shooting at all the stop signs. As long as having fun hasn't been made illegal.

        Just cheap entertainment.

      2. Alumoi Silver badge

        Re: Out with the old, in with the new

        Theft is considered a crime because government hates competition.

      3. amanfromMars 1 Silver badge

        Re: Out with the old, in with the new

        As in most countries, the biggest Criminals are the Government & their friends. ..... Anonymous Coward

        Now that is an observation and accusation that the present Boris Johnson fronted Tory Party gang/cabal/government are most anxious to not be discovered and exposed by a quasi-independent Westminster Parliamentary inquiry before a cast of their peers, in a copy-cat mirror of the recent, excellently transparent and wonderfully well live-televised/broadbandcast Scottish Parliament Holyrood Inquiry investigating the shenanigans surrounding Nicola Sturgeon and Alex Salmond.

        For any thinking that better lessons and unpleasant hidden truths can be learned with a trialing and trailing of anything else lesser, they would be very much mistaken, and have one thinking that they would have much to hide from general knowledge and mass public view should they choose to reject and oppose it ...... and that would make them somewhat complicit in and possibly probable accessories to any and all facts that would subsequently be teased to the surface of the swamp.

        What a stinking mess they have made for themselves.

        One does have to wonder at what the police and the military and the intelligence services are going to do about, or whether they are to be recognised as a toothless paper tiger doing nothing at all honourable?

      4. Anonymous Coward
        Anonymous Coward

        Re: Out with the old, in with the new

        I'm stealing this "As in most countries, the biggest Criminals are the Government & their friends."

        1. Robert Carnegie Silver badge
          Joke

          Re: Out with the old, in with the new

          Stealing it? Property is theft, AC. So stolen property is... double theft I suppose? :-)

    2. jgard

      Re: Out with the old, in with the new

      Yeah, because if the FBI wanted to install backdoors, they would go to court to get the permission, install them, tell the companies concerned, then release the story to the press.

    3. Rob Daglish
      Joke

      Re: Out with the old, in with the new

      Yeah, Status Quo has never been the same since Rick Parfitt died... Oh...

      1. JWLong Bronze badge

        Re: Out with the old, in with the new

        Rob, you're showing your age.

        I'm just a sixties kid.

        Purple Haze all the way.

  7. chivo243 Silver badge
    Big Brother

    Another reason I sleep at night

    NO EXCHANGE any longer!! but WTF! US Guv patching servers now? Without consent? I wonder how many were borked in the process? Anybody remember Rockwell?

    https://youtu.be/7YvAYIJSSZY?t=2

    1. Martin Summers Silver badge

      Re: Another reason I sleep at night

      They didn't patch the servers. RTFA.

  8. Anonymous South African Coward Silver badge
    Trollface

    "Meh, our backdoors got discovered."

    "No sweat, we'll just delete the ones they know of, and plant a couple of better, improved ones"

  9. Mike 137 Silver badge

    Whose bloody computer?

    So now the 'good' guys and the bad guys both get to tamper with your systems without warning. Time to install some pretty strong protective proxy between you and the entire planet.

    Ultimately, security should be the responsibility of the system owner. That's the only safe place to be provided the necessary understanding and resources are in place. Government agencies should be providing the understanding and resources, not tinkering arbitrarily with your kit.

    1. Anonymous South African Coward Silver badge

      Re: Whose bloody computer?

      Fallout - both the good and bad guys tamper with your purdy compoota to such an extent that it is totally FUBAR'd up, having you to extract the Exchange database and do a full rebuild and restore from clean backup.

    2. Lee D Silver badge

      Re: Whose bloody computer?

      Hint:

      Don't run computers that let unauthorised people run commands on them.

      This stops not only these kinds of actions, but also the problem in the first place.

      While I agree that the responsibility should be your own, I see no reason with, say, permanently cutting off the Internet of infected machines at the ISP level until they are showing no more malicious traffic.

      PlusNet in the UK used to block your web etc. access if they detected an open Samba port on your Internet-side. I think this is perfectly reasonable. I think it should be extended to "you're running a business mail server that's known-compromised and hasn't been patched in years", they just block your IP access and replace all HTTP pages with "Your network has been compromised, and as your ISP we have blocked your access. Contact us for information on how to resolve this block".

      Maybe then people would wake up and fix their stuff in a timely manner.

      1. Martin Summers Silver badge

        Re: Whose bloody computer?

        Precisely Lee. So many people bitching and moaning that the Government is accessing systems, when the systems have already been compromised and accessed. They are slightly better off than before for the action. If they feel they are worse off then they should have patched the exploit and removed the shells themselves when they had the chance. At least the government are trying to tell the owners of these systems that they're vulnerable.

      2. Lunatic Looking For Asylum

        Re: Whose bloody computer?

        I wondered about this as well. Why didn't they just get a court order to threaten turn off said companies internet connection in X days if they fix the problem. You can lose your freedom for petty misdemeanours, why not just lose your link until you have shown that you can fix the problem.

        Going in and modding somebody's server - no matter how bad the situation or good the intentions is an awful precedent to set.

      3. Alan Brown Silver badge

        Re: Whose bloody computer?

        sticking "known compromised" systems in a "quarantine vlan" is standard operating procedure in many networks

        Doing it at ISP level can result in helldesks being flooded out though

    3. the hatter

      Re: Whose bloody computer?

      Whose bloody country ? The good guys will tamper with your computer if it's in the national/their interest. Always have done, always will do. The time to install strong security was forever ago, and it still won't keep anyone determined, good or bad, out. If your takeaway from the feds removing one piece of malware from your computer is that you need better security, you're not wrong, but you're not competent.

  10. amanfromMars 1 Silver badge
    Mushroom

    Don't Panic. Proper Prime Premium Adjustments are Designedly Painless, Others Designedly Less So.

    With just two simple transpositions, is something from elsewhere yesterday rendered extraordinarily prescient quoted here today.

    How about upping the ante and nailing the tail on the donkey with the tell-all tale of Bellingcat FBI looking far more like a bunch of crooks masquerading as wannabe spooks in the disguise of rotten two-faced reporters to the core rather than sugaring the poison pill with a similar Bellingcat FBI looks far more like a bunch of spooks masquerading as citizen journalists than a people-centered organization taking on power and lies wherever it sees them. Unfortunately, with many of its proteges travelling through the pipeline into influential media outlets, it seems that there might be quite a few masquerading as reporters as well.

    And should it be a fact that UK SIS US NSA are supporters of Bellingcat FBI, one would have to conclude that their secret intelligence service[s] is[are] in dire straits need of Novel Info and Noble Intel and NEUKlearer HyperRadioProACTive IT Sources for unparalleled unhindered success in the CyberIntelAIgent Space Domain ....... Captivated Hearts and Captured Minds Environment.

    Do you know what all that means for everything and anything everywhere and anywhere that would both know of and enjoy and employ the Perils and Joys of Parallel Travel Paths and Singularities ..... apart from yet another COSMIC* Systems Capture for Alien Beings

    COSMIC* .. Control Of Secret Materiel in an Internetional Command

  11. jake Silver badge

    So all you businesses running Redmond software ...

    ... how does it feel that the FBI just traweled through the complete contents of your email system, and anything else that can be accessed through it?

    Yes, I know, they'll claim they didn't look at anything, and they didn't keep copies of anything, and they didn't plant private backdoors on anything, not even the juicy targets ...but c'mon, that's what they do! It is their entire remit. You know it, I know it, and the FBI knows we know it. And yet you STILL apologize for Redmond's piss-poor security and continue to use it?

    Wow. Just wow.

    1. sabroni Silver badge
      Facepalm

      Re: the FBI just traweled through the complete contents of your email system

      Yeah, then they fucked my dog!

      What a bunch of bastards!!

      1. JWLong Bronze badge

        Re: the FBI just traweled through the complete contents of your email system

        You know how dogs are!

    2. Adrian 4 Silver badge

      Re: So all you businesses running Redmond software ...

      It's pretty sad that the first reaction to feds doing stuff like this is that they're sneaking in and adding their own spyware. More of a condemnation of the feds to have let their reputation slip so far.

      The saving grace is that they (allegedly) did this using the malware itself, not the holes in Exchange. If you weren't already being attacked by malware authors and had failed to remove the web shell yourself, they (allegedly) did nothing. Presumably people cynical about the feds would have already done this.

      1. John Brown (no body) Silver badge

        Re: So all you businesses running Redmond software ...

        "The saving grace is that they (allegedly) did this using the malware itself, not the holes in Exchange. If you weren't already being attacked by malware authors and had failed to remove the web shell yourself, they (allegedly) did nothing. Presumably people cynical about the feds would have already done this."

        This! The tinfoil-hatters with their kneejerk responses seem to be out in force today. It's be nice if they took a few seconds to at least skim the article instead of spouting made up "facts". Some of what they are spouting may well be true, but they are still only assertions.

    3. Munchausen's proxy

      Re: So all you businesses running Redmond software ...

      "and they didn't plant private backdoors on anything,"

      Then put a pass-through system between your exchange server and the outside world, and audit its network traffic.

  12. Andy The Hat Silver badge

    Am I reading a different article?

    "The Feds are trawling and copying"

    "The Feds are taking my data"

    As I read it the FEDs appear to have sent a command via the web shell specifically to kill the malware (perhaps a malware self sanitise instruction). Discovery of the presence of the infection could be as simple as monitoring phone home pings with no need to have direct access to the infected server at all. Similarly the kill command could be sent under the guise of the c&c server to turn the malware on itself ...

    I may be wrong but it seems that the "conspiracy theories" possibly fit this story less well than good old "trying to do the right thing" ...

    1. cawfee

      Re: Am I reading a different article?

      It's not just you. But you know what el reg's forums are like...

      Micro$ofT = BaD!!11!

      FBI = DoUbLE BaD11!

      Therefore they must have gotten in, cloned all your "very interesting email" and let themselves out, rather than just deleting the web shell.

      All hail linux ect. etc.

  13. General Purpose Bronze badge

    How about the UK and elsewhere?

    Does the National Cyber Security Centre need a warrant to do this in the UK or does it already have the power, maybe by royal prerogative or the post-Brexit powers? How about elsewhere? And has the FBI worked on American companies' overseas servers or only ones within the US?

  14. BazNav

    Only servers in the USA

    I wonder how the FBI determined that all of the servers they accessed where within the USA? I'm pretty sure that there are a bunch of servers that resolve to USAian IP addresses that are not within the US courts jurisdiction, e.g. foreign embassies. But I'm sure that the FBI checked on the details of every server in detail before 'helping' and any overstretch was purely accidental.

  15. jgard

    What were the Alternatives?

    This makes me feel a little uneasy about the FBI overstepping the mark, but I think some people here are misinterpreting the story. They didn't patch any server, they just removed the malware. And if the FBI were going to install their crap, or steal info, would they go to court, be granted permission by a judge, do the deed, then tell the owners and the world's press afterwards? I think not.

    This was almost certainly a national security issue, on which the FBI had to act quickly. If a team of Russian spies was rummaging around a Lockheed Martin office stealing missile designs, the feds would get round there and stop them. If they didn't, they'd be castigated for their inaction. In principle, this is no different - they have an obligation to stop a crime in action, especially when it involves national security.

    It does leave me feeling uneasy, but I don't think there was much of a choice. The alternative is to let the bad guys steal top secret info and use it against US and / or its allies.

    1. Anonymous Coward
      Anonymous Coward

      Re: What were the Alternatives?

      The alternative is simple : inform the affected parties *before* you do this, with a clear indication that inaction will result in either the feds will kill webshells on <date>, or in the feds contacting your ISP to block your IP until you have patched the bloody thing.

      1. Ken Moorhouse Silver badge

        Re: The alternative is simple : inform the affected parties *before* you do this

        How many emails does one get that purport to come from organisations such as the FBI?

        They go straight in the Spam folder. So unfortunately that course of action will be ineffective.

        ===

        The only improvement on what they did that I can think of, is to do what Lee suggests, which is to get the ISP in each case to block relevant ports.

    2. amanfromMars 1 Silver badge

      Re: What were the Alternatives in the Great Not U/GNU's Not Unix Game?

      Re: Alternatives, jgard ..... if not the Russians, one can always try blaming and shaming the Chinese for such diligent enterprise. It a common default position for faulty default ridden systems. And some already have tried exercising that leap ........ as some always do. Does anyone care to mention and speculate on whom?

      Microsoft announced a massive breach of its Exchange email platform in early March, saying that a zero-day vulnerability in the servers had given “long-term access” to hackers. The attack was attributed to a group dubbed Hafnium – an allegedly “state-sponsored” outfit operating out of China. ..... https://www.rt.com/usa/520953-fbi-microsoft-hafnium-exploit/

  16. YetAnotherJoeBlow Bronze badge
    Meh

    Whew this is a tough crowd...

    What is interesting is that after they removed the shell, a bot would redeploy the shell in minutes. The FBI of course knows this. What a great cover story.

  17. Pirate Dave
    Pirate

    Take-aways

    1. The FBI is watching our servers much closer than most of us realized.

    2. The FBI has (at least) one judge in its pocket.

    3. The FBI is becoming aggressive again.

    1. Pirate Dave

      Re: Take-aways

      Wow, 5 thumbs-down in only 6 hours?

      Oh shit.

      4. The FBI reads El Reg and will downvote you if you speak negatively of them.

      1. John Brown (no body) Silver badge

        Re: Take-aways

        Or, instead of your Point 1., The FBI has been aware of this issue and thinks it's enough of a threat to national security that they threw together a tool to search for Exchange servers that were infected. After all, there are resources out there on the internet you can easily find and use to locate "open" baby monitors, web cams and all sorts of stuff that the owners have not secured. Anyone who reads El Reg reasonably frequently already knows this.

        1. Ken Moorhouse Silver badge

          Re: they threw together a tool to search for Exchange servers that were infected

          Taking your post one step further, my feeling is that such a tool was regarded as a long-term investment for them. It may have been in existence for some time prior to this outbreak, and will no doubt come in useful again in the future. No doubt it is a regular spider observed at regular intervals by mail admins (gosh, I sound like Attenborough: it's one creature that is unlikely to go extinct though).

  18. markrand
    Flame

    I guess it was good that the correction was done by the FBI and not the CIA or Mossad. If that were the case, the data centre power supplies would have been melted.

    1. Claptrap314 Silver badge
      Facepalm

      Yep, because you just KNOW that the JEWS are the most likely culprit in any given scenario.

      Take that picture of Mr. Mustache off your wall. It went out of style in the 40's.

  19. zeigerpuppy

    they only did half the job...

    the FBI would do better to uninstall Exchange altogether and replace it with Postfix/Dovecot.

  20. mark l 2 Silver badge

    I guess the real world analogy would be if the police noticed a business premises had been broken into and was being used a criminals to store drugs, I am sure they could go to court and get a warrant to go in the business and remove the drugs and seal it up so i can't be used again by the criminals.

    Although the issue of when the owner is informed of the police getting involved is a one that could be debated

  21. Claptrap314 Silver badge
    Black Helicopters

    They doing this with a cron job?

    Because if not, it's not going to last for long...

    I can understand the impulse to do something like this, but unless the servers are taken offline, one way or another, this smacks of feel-good-ism at best. At worst? -->

    1. Alan Brown Silver badge

      Re: They doing this with a cron job?

      "Robin Hood and Friar Tuck" date back how far? (Certainly to mainframe days)

  22. Robert Carnegie Silver badge

    I could have this wrong, but I think if you patched your Exchange server but it already had the malware put on it, it's still there. Until the FBI deleted it.

    Some alternative possible (not necessarily legal) actions for them:

    Rename the malware file from NAUGHTYTHINGS.EXE to NAUGHTYTHINGS.FBI to inactivate it. (But that file might exist already.)

    Drop a copy of the EICAR not-virus named GOOGLE-FBI-CVE-2021-26855.EXE. Sometime, someone will notice.

    Replace the actual malware with FBI-ARE-WATCHING-YOU.EXE which reports on attempts to connect.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021