Sign in / up

back to article Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs

Notorious Windows malware Emotet was automatically wiped from computers yesterday by European law enforcement using a customized DLL. This specially crafted time bomb caused the software to self-destruct on Sunday, April 25. The code was distributed at the end of January to Emotet-infected computers by the malware's command- …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. tip pc Silver badge

    Bad-Good

    Not sure on this, on the one hand they’ve stopped a nasty, on the other to my mind installing stuff on people’s computers without permission is a no no.

    What if something breaks and they are to blame?

    What if the nasty was keeping other nasties away?

    Governments clandestinely being system admins to machines around the globe is an issue.

    Microsoft need to put something in their eula that makes these activities legit.

    14 1 Reply
    1. Phil O'Sophical Silver badge
      Reply Icon

      Re: Bad-Good

      As I read the article, the uninstall used the compromised malware framework, so would only happen on systems that were already infected. If you've kept your PC protected & malware-free nothing would happen. This isn't a case of the white hats using an exploit to break into your system for some arguably-beneficial purpose, they are modifying malware you've already 'caught' to uninstall itself. I think that's less of a concern.

      26 4 Reply
      1. Andy The Hat Silver badge
        Reply Icon

        Re: Bad-Good

        This is difficult.

        On the one hand, they "owned" the software and simply pushed an update - that's done all the time. On the other hand they "took control" of the software and changed it's original function to modify users' machines. Admittedly in this case it was a piece of software used illegally but what if it was a piece of legit software that the authorities didn't like? Take as an example an encryption tool for a chat app because children, darkweb, criminals ... you know the usual buzzwords. On the one hand, that tool *could* be used for nefarious purposes but, on the other, it *is* used by the majority for totally legit private communication, to conduct secure company deals, to act as a private communications conduit for those (legitimately) opposed to the Government, to arrange interior decorating contracts or whatever. Would it then be ok for the powers that be to declare that they've taken ownership of that software and then kill the encryption on users' machines using a normal push update because of children, darkweb etc etc ...? A bit like taking all cars off the road because bank robbers use them.

        I think we're dipping toes into some very deep water. The only limit seems to be the requirement for a warrant to perform such functions ... except in this European case where there is no mention at all of judicial oversight proceedures.

        16 1 Reply
        1. Anonymous Coward
          Reply Icon
          Boffin

          Re: Bad-Good

          The lack of judicial oversight troubles me as well, although it may have existed and just was not mentioned in the article.

          On the other hand, the FBI case had a judicial warrant and the other concerns were still raised.

          There appears to be no way on either side of the pond to force companies to remove malware from their computers so we are stuck between a rock and a hard place. Let a law enforcement agency remove it or let it continue to exist.

          2 0 Reply
          1. Claptrap314 Silver badge
            Reply Icon

            Re: Bad-Good

            The answer is liability. Send a deputy with a letter from a prosecutor, "Dear victim: It has come to the attention of law enforcement that computers responding to IP address %address%, registered to your company, are sending traffic consistent with the malware known as %badstuff%. Be informed that the Computer Misuse Act holds owners responsible for unauthorized access of other computers. If said traffic is not stopped within 24 hours, criminal charges will be filed against your company and/or its officers."

            I expect that even the most backwards company would get those systems offline in less than 24 hours.

            No need for the government to p0wn systems. Just enforce the law.

            1 0 Reply
            1. Anonymous Coward
              Reply Icon
              Anonymous Coward

              Re: Bad-Good

              I expect that even the most backwards company would get those systems offline in less than 24 hours.

              I expect that people would just say "fscking spam", and file the letter in the round file.

              0 0 Reply
              1. Claptrap314 Silver badge
                Reply Icon

                Re: Bad-Good

                "Send a deputy with a letter from a prosecutor"

                Spam is not usually hand-delivered by men with a badge, uniform, and gun.

                0 0 Reply
            2. Michael Wojcik Silver badge
              Reply Icon

              Re: Bad-Good

              I expect that even the most backwards company would get those systems offline in less than 24 hours.

              Your optimism is adorable.

              Also, of course, this proposal has technical issues, such as identifying infected machines and their owners; and legal ones, such as an unclear basis for threatening charges against companies (much less officers).

              We have a vast body of experience with using regulatory regimes against private-sector offenders. I think it's the mechanism most likely to be broadly efficacious in improving IT security. But it's neither precise nor fast. There's no reason to believe it will be either of those things in this case. So "just enforce the law" is not a solution.

              And like it or not, these sorts of actions by law enforcement will almost certainly continue. Now the government has a taste for it, they will be loathe to surrender the power.

              1 0 Reply
              1. Claptrap314 Silver badge
                Reply Icon

                Re: Bad-Good

                Prompt, visible enforcement has a wonderful effect of concentrating attention. That's why I'm suggesting a slightly creative use of current law. If law enforcement has probably cause to know that a crime is in progress, they are generally justified to enter a property without a warrant. A packet stream to a particular IP address registered to a particular company is probable cause (and therefore enough to get a warrant). Permitting a crime to be carried out on your property is itself a crime, or at least sufficient cause for condemnation.

                You point out the problem with regulation. I'm suggesting something that will get the attention of the PHBs. It doesn't have to happen in every case. Just enough to turn "security issue" into a magic phrase.

                0 0 Reply
    2. FlamingDeath Silver badge
      Reply Icon

      Re: Bad-Good

      ‘EULA’

      After all, thats what software houses are selling.

      It ain’t software they’re selling, it’s carefully worded license agreements.

      How do you know its bot already in there, have you read it, all incarnations?

      2 0 Reply
    3. vtcodger Silver badge
      Reply Icon

      Re: Bad-Good

      Sure is a good thing that the Emotet folks didn't leave a doomsday device behind that will brick the affected devices a few after their DLL is removed. They wouldn't do a thing like that ... right? That'd be uncivil.

      Perhaps they will just be content to use the bogus admin account they installed last year when they had control of the machine.

      My point in case it isn't clear. This security thing is a contest. And the black-hatted guys aren't stupid. It might be a good idea to be cautious about taking possibly premature victory laps.

      4 0 Reply
    4. Schultz
      Reply Icon
      Go

      License revoked

      Just consider it as an expiry of your license to run the emotet malware packet on your systems. If that breaks your system, then you'll have to fix it on your own time.

      Good thing this was done by a non-NSA entity, otherwise we'd go crazy searching for the hidden payload.

      0 0 Reply
  2. Will Godfrey Silver badge
    Black Helicopters

    Food for thought

    I've no quibble with this action, but am concerned it could be the thin edge of a very nasty wedge. What's the prospect of necessary slowly morphing into desirable and hence to total surveillance?

    13 1 Reply
    1. AMBxx Silver badge
      Reply Icon
      Childcatcher

      Re: Food for thought

      What happens when the government can't fix the problem but is able to disable the PC to prevent further spread or damage?

      Would we be happy for our infected computers to just stop working 'for the greater good'?

      Very nasty wedge.

      7 0 Reply
      1. Plest Silver badge
        Reply Icon

        Re: Food for thought

        I do agree with this action as not everyone who owns a PC is able to admin it, some can just about login and start a browser, so they need help to stop shite like this. However as others have said, those of us who do know what we're doing might be caught up in something else much later on that we didn't agree to. False positives do happen and having to rebuild my machine and restore everything 'cos some numpty wrote a DLL and installed it on my PC to clean up something I never had, hmmm.

        1 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Food for thought

        Yes, that's the ideal solution. Don't bother patching it, nuke it.

        If the cops find an unroadworthy car on the road, they can seize and crush it. They should do the same with compromised computers.

        0 1 Reply
  3. Peter Prof Fox
    Thumb Up

    Tin foil hats

    Why isn't there a vaccine against paranoia?

    Dang it! The service I was offering to clean the Emotet malware for $$$ is now stymied. I'll have to sue the Government for ruining my business. It's not their job to do for free what business can charge for. It's communism I tell you!

    In the UK we already have secret surveillance that can't be referred to in court when evidence is being produced. (Not the evidence that can't be referred to but the fact that it was obtained by secret methods with absolutely no proper scrutiny or challenge.) So worries about state interference might seem justified, but in this case some clever so-and-so had the bright idea for getting the malware to uninstall itself. Remember that the state-actors already had control of the command infrastructure, so they could have used that for naughty purposes. Which would you rather have. Well done whoever thought of this for a neat hack.

    13 4 Reply
    1. chivo243 Silver badge
      Reply Icon
      Pirate

      Re: Tin foil hats

      I'll go one step further... is my real day job in jeopardy, not just a side hustle removing malware? I'd just like some notice, so I can start a pottery business...

      3 0 Reply
      1. Wellyboot Silver badge
        Reply Icon

        Re: Tin foil hats

        This is just one successful hit in the everlasting wack-a-mole game.

        Infosec jobs are safe.

        2 0 Reply
        1. FlamingDeath Silver badge
          Reply Icon

          Re: Tin foil hats

          You mean janitor roles?

          0 0 Reply
  4. Doctor Syntax Silver badge

    My immediate thought was why wait several months? Was it that the malware only checked in with its C&C server at rare intervals or was it time taken to gain political/legal backing?

    1 0 Reply
    1. Alistair
      Reply Icon
      Windows

      @ DocSyntax

      Why wait several months?

      " In late January, Germany and the Netherlands said they had, via Emotet control servers seized in their jurisdictions, released a software update that quarantined Emotet infections on people's PCs, and directed connections from the malware to evidence-gathering systems"

      I'm guessing that there was some evidence gathered that will be/was used to charge and or convict some folks for some crimes committed using their infected PCs. But that may just be because I'm slightly paranoid.

      0 0 Reply
      1. DS999 Silver badge
        Reply Icon

        Sounds more like they were trying to find the people benefiting financially from Emotet. Insert a "man in the middle" server that grabs connections from the malware, then forwards the connection to where it was intended, causing any traffic back to also pass through the middleman server.

        That way they can monitor if someone is connecting to it to steal bitcoin wallets, for instance, and see where those bitcoins go (I'm assuming with $2 billion stolen it was probably a lot of bitcoin stolen when worth a lot less valued at today's price)

        Might have allowed them to identify and arrest some of the suspects, or recover some of the proceeds of their crimes.

        1 0 Reply
  5. Graham Cobb Silver badge

    Investigative reporting

    While I can accept that the action sounds like it is fairly positive, this is a major new step which needs some serious analysis.

    It would be great if El Reg, or some other team, considered some investigative reporting: to find out if court warrants had been obtained, owners informed in advance, what precautions against mistakes were taken, how authorities are detecting and recording unintended consequences to learn for future operations, what data has been collected from the infected machines and when will it be destroyed, etc etc.

    7 0 Reply
    1. Michael Wojcik Silver badge
      Reply Icon

      Re: Investigative reporting

      Investigation and analysis are certainly welcome, but don't deceive yourself into thinking governments will ever cease this sort of thing. Now that they've done it successfully, they'll fight to the bitter end any attempt to constrain them; and even if people pushed through changes to restrict it, they'd just do it quietly.

      0 0 Reply
  6. iron Silver badge

    > that prevented Emotet's masterminds from ever regaining control of infected PCs.

    Ever is a very long time and that is a very bold statement to make. If a "mastermind" can write one virus then they can always write another, especially since no one was arrested.

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      @iron

      And you can bet your last quid that because of the gloating, the "baddies" will be burning serious quantities of midnight oil

      0 0 Reply
    2. jtaylor
      Reply Icon

      > that prevented Emotet's masterminds from ever regaining control of infected PCs.

      "a very bold statement...If a "mastermind" can write one virus then they can always write another"

      I believe "regaining control" refers to setting up a new Command and Control system for those Emotet bots. Which appears to be true. If Mr. Corfield wanted to tell us that nobody would create different malware, he would have said so.

      2 0 Reply
    3. Michael Wojcik Silver badge
      Reply Icon

      Fortunately, there are precious few masterminds on any side in IT security (or any other field of endeavor). Also, with so much low-hanging fruit, economics don't favor trying to regain control of the Emotet network. Just move on to the next malware package.

      0 0 Reply
  7. batfink
    Pint

    Well done Euro-rozzers

    Have one of these ---->

    4 3 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Well done Euro-rozzers

      Why the downvoter?!

      0 1 Reply
      1. Michael Wojcik Silver badge
        Reply Icon

        Re: Well done Euro-rozzers

        Have you read the other comments on this story?

        0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like