17 million “zombie” devices: how the global botnet was destroyed

In a large-scale international cyber operation, law enforcement agencies and leading digital security experts dealt a devastating blow to the global hacking infrastructure. A successful takedown of a botnet in the Netherlands helped save more than 17 million infected devices worldwide that were being secretly used by cybercriminals without their owners’ knowledge.

The scale of the global special operation

While ordinary users went about their business, the National Police of the Netherlands together with specialists of the National Center for Cyber ​​Security conducted a total technical cleaning of the network on a planetary scale. The botnet controlled more than 17 million gadgets, including smartphones, personal computers and even household “smart” devices (up to routers and toasters). All this equipment was remotely exploited by criminals in the shadow sector of the Internet.

The beginning of a large-scale investigation was a detailed report by one of the vigilant cyber security specialists. The expert recorded the suspicious activity of a large network of proxy servers and transferred the data to law enforcement officers, which led to the complete destruction of the attackers’ infrastructure.

Botnet specifications and architecture

Investigative actions revealed a complex technical system that cybercriminals had been building for years:

• Size of infected network: more than 17,000,000 hosts.
• Management infrastructure: about 200 rented servers.
• Physical location of management servers: legal data centers in the Netherlands.

Choosing a reliable European hosting is a favorite method of cybercriminals. With its help, they disguise malicious network traffic as legitimate data exchange, minimizing the suspicions of providers and automated security algorithms.

Usage features: ASOCKS proxy platform

This botnet was a full-fledged commercial hacker project and was inextricably linked to the ASOCKS proxy platform. This shadow service was positioned as a resident proxy shop, which gives its customers the opportunity to hide their real IP address by passing traffic through the home gadgets of ordinary users. The range of criminal services based on this infrastructure included:

• Organization of massive phishing campaigns.
• Mass automatic sending of spam messages.
• Performing devastating distributed DDoS attacks on commercial and government web portals.

Because the requests came on behalf of real users from ordinary residential neighborhoods, the security systems of most targets did not recognize network attacks.

Results of the raid against the botnet infrastructure

During the police intervention, about two hundred control servers were disabled by communication providers based on the official order of the security authorities. In addition, operatives seized physical hard drives with equipment as an evidence base. The strongest technical blow has deprived the network operators of operational management and financial inflow, as the re-creation of such a network framework will require colossal time and cash infusions.

How to prevent your device from turning into a “zombie”?

Law enforcement officers destroyed the hacker’s server coordination centers, but the owners of 17 million infected gadgets themselves are still vulnerable to future software modifications, because the key developers are still at large. NCSC strongly recommends following the fundamental rules of digital hygiene:

• Update the system firmware of all smart devices (including routers) in a timely manner.
• Be sure to change the factory default administration passwords.