Google says it’s disrupted a botnet known as Glupteba that’s spread malware to a million Windows devices. However, the company is warning the botnet could return, thanks to a novel backup mechanism that taps into the Bitcoin blockchain.
On Tuesday, Google announced it had worked with internet hosting providers to take down the servers that communicate to the Glupteba botnet. In addition, the company filed a lawsuit in a US district court against two Russian citizens allegedly behind the hacking scheme.
“After a thorough investigation, we determined that the Glupteba botnet currently involves approximately one million compromised Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day,” the company wrote in a blog post.
A botnet is essentially an army of infected computers. To create Glupteba, the hackers have been found spreading malware through third-party “free download” sites that offer bootleg videos and games. Unsuspecting users will click on the link only to unknowingly download a Trojan to their PC. In one case, the hackers even used a fake YouTube video downloading site to trick victims into installing their malicious code.
Once a successful infection occurs, the hackers can then use the malware to install additional malicious payloads, which can steal login credentials and mine cryptocurrencies on the infected machine. According to Google, the culprits have been largely targeting PCs based in the US, India, Brazil, and Southeast Asia.
But perhaps Glupteba’s most striking feature is how it relies on the Bitcoin blockchain as a backup mechanism to protect communication lines between the hackers’ servers and the rest of the botnet.
“Unlike conventional botnets, the Glupteba botnet does not rely solely on predetermined (web) domains to ensure its survival,” Google wrote in the lawsuit. “Instead, when the botnet’s C2 (command and control) server is interrupted, Glupteba malware is hard-coded to ‘search’ the public Bitcoin blockchain for transactions involving three specific Bitcoin addresses that are controlled by the Glupteba Enterprise.”
As a result, the hackers behind Glupteba can restore control to their botnet by writing encrypted instructions for a backup server on the Bitcoin blockchain. This makes the botnet “particularly difficult to disrupt,” Google said.
“Thus, the Glupteba botnet cannot be eradicated entirely without neutralizing its blockchain-based infrastructure,” the company added.
Nevertheless, Google is hoping it can discourage the suspected hackers from running the botnet. The company’s lawsuit names Dmitry Starovikov and Alexander Filippov as the two Russians allegedly behind Glupteba, citing Gmail and Google Workspace accounts they allegedly created to help them operate the criminal enterprise.
The company’s lawsuit is now demanding the US court force Starovikov and Filippov to pay damages and bar them from using Google services ever again.
Since both Starovikov and Filippov are based in Russia—a country that refuses to extradite suspected hackers to the US—they’ll likely never face trial. Still, Google hopes the lawsuit “will set a precedent, create legal and liability risks for the botnet operators, and help deter future activity.”
To further disrupt the botnet, the company says it “terminated around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution.”
