* Posts by fastball

1 publicly visible post • joined 2 Feb 2024

FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet

fastball

Re: Thanks for nothing

FBI likely recovered the botnet binaries and reverse-engineered the malware's C2 protocol. In the warrant they state that the uninstall the botnet malware by issuing KV botnet commands to the devices. Since the botnet is P2P (also identified in the warrant and other reporting) it's likely that the individual nodes don't properly authenticate that commands are coming from an authoritative botnet server.

Also in the warrant it appears that they issued hardening commands (also through the botnet C2 protocol) to prevent re-exploitation of the devices once the botnet malware is uninstalled. They mention that the botnet itself is non-persistent (i.e. doesn't survive device reboots) but its not clear to me if the hardening survives reboots. That part of the warrant is heavily redacted, understandably so.

I also was not fully clear on point 22b, the case in which they apparently modify the malware (probably issuing a "change C2 server" botnet command and having it point to loopback rather than the actual C2 server) to neuter it. It kind of seems from the introduction that this case applies if there are multiple instances of the botnet running, but again, its hard to tell with the redactions.

IMHO this is once again a very impressive legal and technical achievement by the FBI, props to you guys for pulling it off again.