Skip to content
Naked Security Naked Security

Google wins court order to force ISPs to filter botnet traffic

CryptBot criminals are alleged to have plundered browser passwords, illicitly-snapped screenshots, cryptocurrency account data, and more.

A US court has recently unsealed a restraining order against a gang of alleged cybercrooks operating outside the country, based on a formal legal complaint from internet giant Google.

Google, it seems, decided to use its size, influence and network data to say, “No more!”, based on evidence it had collected about a cybergang known loosely as the CryptBot crew, whom Google claimed were:

  • Ripping off Google product names, icons and trademarks to shill their rogue software distribution services.
  • Running “pay-per-install” services for alleged software bundles that deliberately injected malware onto victims’ computers.
  • Operating a botnet (a robot or zombie network) to steal, collect and collate personal data from hundred of thousands of victims in the US.

You can read a PDF of the court document online.
Thanks to our chums at online pub The Register for posting this.

Plunder at will

Data that these CryptBot criminals are alleged to have plundered includes browser passwords, illicitly-snapped screenshots, cryptocurrency account data, and other PII (personally identifiable information).

As the court order puts it:

The Defendants are responsible for distributing a botnet that has infected approximately 672,220 CryptBot victim devices in the US in the last year. At any moment, the botnet’s extraordinary computing power could be harnessed for other criminal schemes.

Defendants could, for example, enable large ransomware or distributed denial-of-service attacks on legitimate businesses and other targets. Defendants could themselves perpetrate such a harmful attack, or they could sell access to the botnet to a third party for that purpose.

Because the defendants are apparently operating out of Pakistan, and unsurprisingly didn’t show up in court to argue their case, the court decided its outcome without hearing their side of the story.

Nevertheless, the court concluded that Google had shown “a likelihood of success” in respect of charges including violating the Computer Fraud and Abuse Act, trademark rules, and racketeering laws (which deal, loosely speaking, with so-called organised crime – committing crimes as if you were running a business):

[The court favors] a temporary restraining order. The criminal enterprise is defrauding users and injuring Google. There is no countervailing factor weighing against a temporary restraining order: there is no legitimate reason why Defendants should be permitted to continue to disseminate malware and cracked software and manipulate infected computers to carry out criminal schemes. […]

Every day that passes, the Defendants infect new computers, steal more account information, and deceive more unsuspecting victims. Protection from malicious cyberattacks and other cybercrimes is strongly in the public interest.

As you can imagine, some aspects of the restraining order follow the sort of legalisms that strike non-lawyers as tautological outcomes, namely officially demanding that the criminals stop committing crimes, including: no longer distributing malware, no longer running a botnet, no longer stealing victims’ data and no longer selling that stolen data on to other crooks.

Block that traffic

Interestingly, however, the court order also authorises Google to identify network providers whose services directly or indirectly make this criminality possible, and to “[request] that those persons and entities take reasonable best efforts” to stop the malware and the data theft in its tracks.

That intervention doesn’t just apply to companies such as domain name registrars and hosting providers. (Court orders often demand that server names get taken away from criminals and handed over to law enforcement or to the company being harmed, and that websites or web servers get taken down.)

Presumably to make it harder for these alleged crooks simply to shift their servers to hosting providers that either can’t be identified at all, or that will happily ignore US takedown requests, this court order even covers blocking network traffic that is known to be going to or coming from domains associated with the CryptBot crew.

The final network hops taken by any malicious traffic that reaches US victims is almost certain to pass through ISPs that are under US jurisdiction, so we’re assuming that those providers may end up with legal responsibility for actively filtering out any malicious traffic.

To be clear, the court order doesn’t demand, or even mention, any sort of snooping on, sniffing out or saving of any data that’s transferred; it merely covers taking “reasonable steps to identify” and “reasonable steps to block” traffic to and from a list of identified domains and IP numbers.

Additionally, the order covers blocking traffic “to and/or from any other IP addresses or domains to which Defendants may move the botnet infrastructure,” and gives Google the right to “amend [its list of network locations to block] if it identifies other domains, or similar identifiers, used by Defendants in connection with the Malware Distribution Enterprise.”

Finally, the restraining order states, in a single, mighty sentence:

Defendants and their agents, representatives, successors or assigns, and all persons acting in concert or in participation with any of them, and any banks, savings and loan associations, credit card companies, credit card processing agencies, merchant acquiring banks, financial institutions, or other companies or agencies that engage in the processing or transfer of money andlor real or personal property, who receive actual notice of this order by personal service or otherwise, are, without prior approval of the Court, temporarily restrained and enjoined from transferring, disposing or, or secreting any money, stocks, bonds, real or personal property, or other assets of Defendants or otherwise paying or transferring any money, stocks, bonds, real or personal property, or other assets to any of the Defendants, or into or out of any accounts associated with or utilized by any of the Defendants.

In plain English: if you try to help this lot to cash out their ill-gotten gains, whether you accept thirty pieces of silver from them in payment or not, expect to be in trouble!

Will it work?

Will this have any large-scale effect on CryptBot operations, or will their activities simply pop up under a new name, using new malware, distributed from new servers, to build a new botnet?

We don’t know.

But these alleged criminals have now been publicly named, and with more than two-thirds of a million computers said to have been infected with CryptBot zombie malware in the last year in the US alone…

…even a tiny dent in their activities will surely help.

What to do?

To reduce your own risk of zombie malware compromise:

  • Stay away from sites offering unofficial downloads of popular software. Even apparently legitimate download sites sometimes can’t resist adding their own extra “secret sauce” to downloads you could just as easily get via the vendor’s own official channels. Beware of assuming that the first result from a search engine is the official site for any product and simply clicking through to it. If in doubt, ask someone you know and trust to help you find the real vendor and the right download location.
  • Consider running real-time malware blocking tools that not only scan downloads, but also proactively prevent you from reaching risky or outright dangerous download servers in the first place.
  • Never be tempted to go for a pirated or cracked program, no matter how valid you think your own justification might be for not paying for or licensing it correctly. If you can’t or won’t pay for a commercial product, find a free or open-source alternative that you can use instead, even if it means learning a new product or giving up some features you like, and get it from a genuine download server.


Where can we get this list to populate our firewalls?


I don’t know. It’s listed in the PDF that we link to as Appendix A, but that’s not in the PDF itself. Maybe that’s a detail that wasn’t unsealed? Also, the list is likely to change – the court order doesn’t say “everyone must block everything on the list for ever”.

It’s more along the lines of “for 14 days, Google has a right to ask for some, many or all of the domains and IPs in Appendix A or its updated form, to be blocked.


A golden nugget here:

“Beware of assuming that the first result from a search engine is the official site for any product and simply clicking through to it.”

Unfortunately, I think it’s almost time to change it to:

“Always assume that the first result from a search engine is not the official site for any product, so do not click through to it.”


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!