Wednesday’s Justice Department statement said authorities had followed through on the takedown, which disinfected “hundreds” of infected routers and removed them from the botnet. To prevent the devices from being reinfected, the takedown operators issued additional commands that the affidavit said would “interfere with the hackers’ control over the instrumentalities of their crimes (the Target Devices), including by preventing the hackers from easily re-infecting the Target Devices.”
The affidavit said elsewhere that the prevention measures would be neutralized if the routers were restarted. These devices would then be once again vulnerable to infection.
Redactions in the affidavit make the precise means used to prevent re-infections unclear. Portions that weren’t censored, however, indicated the technique involved a loop-back mechanism that prevented the devices from communicating with anyone trying to hack them.
Portions of the affidavit explained:
22. To effect these seizures, the FBI will simultaneously issue commands that will interfere with the hackers’ control over the instrumentalities of their crimes (the Target Devices), including by preventing the hackers from easily re-infecting the Target Devices with KV Botnet malware.
- a. When the FBI deletes the KV Botnet malware from the Target Devices [redacted. To seize the Target Devices and interfere with the hackers’ control over them, the FBI [redacted]. This [redacted] will have no effect except to protect the Target Device from reinfection by the KV Botnet [redacted] The effect of can be undone by restarting the Target Device [redacted] make the Target Device vulnerable to re-infection.
- b. [redacted] the FBI will seize each such Target Device by causing the malware on it to communicate with only itself. This method of seizure will interfere with the ability of the hackers to control these Target Devices. This communications loopback will, like the malware itself, not survive a restart of a Target Device.
- c. To seize Target Devices, the FBI will [redacted] block incoming traffic [redacted] used exclusively by the KV Botnet malware on Target Devices, to block outbound traffic to [redacted] the Target Devices’ parent and command-and-control nodes, and to allow a Target Device to communicate with itself [redacted] are not normally used by the router, and so the router’s legitimate functionality is not affected. The effect of [redacted] to prevent other parts of the botnet from contacting the victim router, undoing the FBI’s commands, and reconnecting it to the botnet. The effect of these commands is undone by restarting the Target Devices.
23. To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process. This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel. This command will not affect the Target Device if the VPN process is not running, and will not otherwise affect the Target Device, including any legitimate VPN process installed by the owner of the Target Device.
Now that the operation has been disclosed, the FBI plans to contact affected ISPs so they can notify affected subscribers.
