Google Gimps Huge Glupteba Botnet That Infects A Million Windows PCs With Malware

hero google gimps glupteba botnet
Generally when we talk about "botnets" we're talking about networks of devices infected with malware that serve an unintended (and usually malicious) purpose for an unknown external agent, one who controls the network with a centralized "command and control" service. An example would be the Srizbi botnet, formed by Windows machines infected by the Srizbi trojan, and said to be composed of some 450,000 compromised machines at its peak—although botnets don't necessarily have to use PCs.

Another example of a major botnet is Glupteba. Google says that Glupteba's network includes around a million machines worldwide, and that it sometimes adds "thousands of new devices per day." Glupteba isn't just a botnet—the malware itself can have a nasty payload, including theft of user credentials and data, illicit crypto-currency mining using the victims' hardware, and even setting up proxies to funnel other users' internet traffic through the infected machine or router.

Glupteba is an extremely complicated piece of malware, but even looking at the non-technical aspects of the operation is daunting. Glupteba malware is distributed through fake internet downloads for software cracks and pirated media as well as through Google ads and various front websites. It then coordinates using a variety of methods: HTTPS connections between numerous control servers and infected systems, as well as encrypted connections over the Bitcoin blockchain.

inline glupteba fake crack download
One of the fake download pages for Glupteba's malware.

These types of sophisticated botnets are difficult to take down, but Google's got a big stick to swing. Today the company announced that it has dealt a couple of major blows to Glupteba. First, on the technical side of things, Google is working hard within its own servers as well as in collaboration with hosting providers (like Cloudflare) to shut down and block access to the command and control mechanisms for Glupteba. That won't necessarily help machines that are already infected, but it should help slow the spread of Glupteba, and prevent affected machines from benefiting their assailants.

The other tine of Google's two-pronged attack is legal action. Google's filing litigation against those who it perceives to be the operators of Glupteba: a group of hackers in Russia. Besides filing an action in New York against the hackers, the company has also filed for a restraining order to prevent access to its own services, which hosted some of the command and control infrastructure for Glupteba. Google says that if its legal actions are successful, they will generate "real legal liability" for the operators.

As Google notes, the fault-tolerant and redundant nature of Glupteba, in combination with its blockchain-based nature, makes it extremely resilient. The company says that rather than trying to shut it down directly, Google is working with both other figures in the industry as well as governments worldwide to help strengthen the internet at large against "this type of behavior." Google says its goal is not just to "plug security holes," but instead to "eliminate entire classes of threats." Lofty goals, but if anyone has the resources to do it, it's Google.