Botnet Made Up Of 7,000 End-Of-Life Routers Taken Down

A joint U.S.-Dutch law enforcement operation has taken down a botnet-for-hire that was comprised of thousands of end-of-life routers.

The U.S. Department of Justice (DOJ) announcement came two days after an FBI alert warning about the Anyproxy.net and 5socks.net botnets and urging users to replace vulnerable internet routers or disable remote administration.

In addition to a domain seizure warrant for Anyproxy.net and 5socks.net, the DOJ also announced the unsealing of an indictment charging four foreign nationals with conspiracy and other alleged computer crimes for operating the botnets.

More Than 7,0000 End-Of-Life Routers in Botnet

The Indictment alleges that the botnet was created by infecting older-model wireless internet routers worldwide. The malware allowed the routers to grant unauthorized access to third parties and made them available for sale as proxy servers on the Anyproxy and 5socks websites. Both website domains were managed by a company headquartered in Virginia and hosted on computer servers worldwide, the DOJ alleges.

Court documents revealed that the 5socks.net website advertised more than 7,000 proxies for sale worldwide. Users paid a monthly subscription fee ranging from $9.95 to $110 per month. The DOJ said the website’s slogan – “Working since 2004!” – suggests that the service had been available for more than 20 years.

Russian nationals Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov, a Kazakhstani national, were charged with Conspiracy and Damage to Protected Computers for conspiring with others to maintain, operate, and profit from the botnet services. Chertkov and Rubtsov were also charged with False Registration of a Domain Name for allegedly falsely identifying themselves when they registered and used the domains Anyproxy.net and 5socks.net.

The DOJ said the defendants “are believed to have amassed more than $46 million from selling access to the infected routers that were part of the Anyproxy botnet.”

Also credited in the operation were the Eastern District of Virginia, the Dutch National Police – Amsterdam Region, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police. Lumen Technologies’ Black Lotus Labs also assisted in the investigation.

13 Vulnerable Routers Identified

The May 7 FBI alert listed 13 vulnerable routers. Those devices include:

• E1200
• E2500
• E1000
• E4200
• E1500
• E300
• E3200
• WRT320N
• E1550
• WRT610N
• E100
• M10
• WRT310N

The FBI recommended that users “identify if any of the devices vulnerable to compromise are part of their networking infrastructure. If so, these devices should be replaced with newer models that remain in their vendor support plans to prevent further infection. Alternatively, a user can prevent infection by disabling remote administration and rebooting the device.”

Related