FBI takes down botnet exploiting aging routers

The FBI and Dutch police have taken down two botnets and indicted four people believed to have been behind it.

The botnet involved thousands of older wireless internet routers worldwide, installing malware that allowed them to be reconfigured and then making them available for sale as proxy servers on the Anyproxy.net and 5socks.net websites.

Both website domains were managed by a company headquartered in Virginia and hosted on computer servers worldwide.

The 5socks.net website advertised more than 7,000 proxies for sale around the world, with users paying a monthly subscription fee of between $9.95 and $110 per month.

“The website’s slogan, ‘Working since 2004!’, indicates that the service has been available for more than 20 years,” said the FBI.

“The defendants are believed to have amassed more than $46 million from selling access to the infected routers that were part of the Anyproxy botnet.”

The websites now display notices stating that they’ve been seized by the FBI in a law enforcement operation called Operation Moonlander.

As part of the operation, Russian nationals Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov, a Kazakhstani national, have been charged with conspiracy and damage to protected computers. Chertkov and Rubtsov have also been charged with false registration of a domain name.

More than half the botnet’s victims are in the US, with Canada and Ecuador the next most affected. Researchers from Lumen, which has been tracking the botnet for more than a year, said they found a weekly average of 1,000 unique bots in contact with the command-and-control infrastructure in Turkey.

“Proxy services have and will continue to present a direct threat to internet security as they allow malicious actors to hide behind unsuspecting residential IPs, complicating detection by network monitoring tools,” the firm warned.

“As a vast number of end-of-life devices remain in circulation, and the world continues to adopt devices in the Internet of Things, there will continue to be a massive pool of targets for malicious actors.”

Routers are a frequent target for botnets, with a company linked to the Chinese government found to have been running a global botnet consisting of over 260,000 compromised devices in North America, Europe, Africa, and Southeast Asia last year.

And the FBI is now warning organizations to replace aging routers exploited by Anyproxy.net and 5socks.net. It highlights Linksys models E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550 and WRT320N, WRT310N, WRT610N; the Ericsson Cradlepoint E100 router; and the Cisco Valet M10.

“The FBI recommends users identify if any of the devices vulnerable to compromise are part of their networking infrastructure,” it said.

“If so, these devices should be replaced with newer models that remain in their vendor support plans to prevent further infection. Alternatively, a user can prevent infection by disabling remote administration and rebooting the device.”