The notorious Emotet botnet software began uninstalling itself from some one million computers Sunday.
According to SecurityWeek, the uninstall command was part of an update sent to the infected computers by law enforcement servers in the Netherlands after Emotet’s infrastructure was compromised in January during a multinational operation mounted by eight nations.
The poisoned upgrade cleans the Windows registry key that enables the botnet’s modules to run automatically, as well as stop and delete associated services.
“The threat posed by Emotet was already neutralized by the takeover of its entire network infrastructure by law enforcement last January,” explained Jean-Ian Boutin, head of threat research at Eset, an information technology security company based in Bratislava in the Slovak Republic.
“Our continuous monitoring of Emotet shows that the operation has been a complete success,” he told TechNewsWorld.
“On Sunday, a cleanup procedure was activated on compromised systems that connected to the infrastructure controlled by law enforcement,” he continued. “The update removes Emotet’s persistence mechanisms, effectively preventing the threat from reaching out to any command and control servers in the future.”
According to the U.S. Justice Department Emotet infected 1.6 million computers globally from April 1, 2020 to Jan. 17, 2021 and caused millions of dollars of damage to victims worldwide.
In the United States, the U.S. Cybersecurity & Infrastructure Agency estimates that Emotet infections cost local, state, tribal and territorial governments up to US$1 million per incident to remediate.
Machines Still At Risk
Although Emotet has been neutralized, the machines it infected remain at risk.
“Emotet itself wasn’t known for many malicious behaviors, especially in its last iterations,” observed Chet Wisniewski, principal research scientist at Sophos,
a network security and threat management company based in the UK.
“It was known for bringing along other malicious software, which it is likely to have done before the acquisition by police of the command and control infrastructure,” he told TechNewsWorld. “Its removal has no effect on other malicious software it may have brought along.”
Boutin noted that in the last two years, Emotet actively distributed at least six different malware families: Ursnif, Trickbot, Qbot, Nymaim, Iceid and Gootkit.
“Once installed, the malware families run independently from Emotet,” he said. “Hence, both must be eradicated in order for the system to be malware free.”
“The gap between the network infrastructure takedown and Sunday’s cleaning operation was to allow affected organizations to find these different malware families and take the necessary steps to clean their network,” he explained.
Deactivating Emotet can be seen as a first step in recovering these machines, but it is far from the only step,” added Christopher Fielder, director of product marketing for Arctic Wolf, a maker of cloud SIEM software.
“These machines should still be considered compromised and assessed using an effective incident response plan,” he told TechNewsWorld.
Whether the owners of the infected machines are being notified about the possibility of further infections is unclear, noted Dirk Schrader, global vice president of New Net Technologies, a Naples, Fla.-based provider of IT security and compliance software.
“It would certainly be helpful to alert the system’s owner that further forensic analysis is needed,” he observed.
Removing Emotet from the threat landscape is a great achievement, Wisniewski maintained. “It was one of the most dangerous and prolific email threats in the world,” he said.
“I think the initial takedown and acquisition of the command infrastructure was fantastic and something we would love to see more of,” he added.
“This latest action, however, seems like it isn’t as useful and is more of a PR move than anything that will keep the public safe,” Wisniewski pointed out.
“The takedown is very significant,” added Vinay Pidathala, director of security research at Menlo Security, a cybersecurity company in Mountain View, Calif.
He noted that across Menlo Security’s global customer base, Emotet was the top malware that it protected customers against in 2020.
“Emotet was also responsible for a lot of ransomware infections, so taking down such a pervasive malware distribution platform is good for the internet,” he added.
As gratifying as the takedown of Emotet is, the havoc it wreaked across countless networks over seven years is alarming, declared Hitesh Sheth, president and CEO of Vectra AI, a provider of automated threat management solutions based in San Jose, Calif.
“We must aspire to have more international cooperation for cybersecurity plus better response time,” he told TechNewsWorld.
“None of us know how many malware cousins of Emotet are doing more damage right now,” he said, “but if each takes seven years to neutralize, we will remain in lasting crisis.”
One reason it took so long to take down Emotet was the complexity of its network infrastructure.
“Through our long-term tracking of the botnet, we identified hundreds of command and control servers, organized in different layers and spread out throughout the world,” Boutin explained. “To be successful, the operation needed to take down all these C&C servers at the same time, a very difficult task.”
Security experts generally praised law enforcement for taking down Emotet, although some had concerns about the action.
“I think takedowns are critical and law enforcement agencies are important in being able to expedite and also put the right number of resources to do something at scale. These actions are commendable,” Pidathala observed.
Boutin noted that the takedown was not limited to shutting down a botnet’s infrastructure but went further with the arrest of individuals suspected of being involved with Emotet.
“Pushing the uninstall routine on infected systems was the icing on the cake,” he said. “Hopefully this action will serve as a reference and make future takedown operations easier and more efficient.”
However, Austin Merritt, a cyberthreat intelligence analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, noted that takedowns can raise some privacy issues.
“People targeted by Emotet may be concerned that involving the FBI could allow them to indiscriminately go into victims’ computers and see what is there,” he told TechNewsWorld. “Consequentially, there may be concerns of law enforcement obtaining nonpublic information from them.”
While automatically removing malware seems to be a great answer to these infections, especially in large deployments such as Emotet, there are some ethical issues with the approach, added Erich Kron, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“Part of the issue is that law enforcement is actively deleting files from privately owned devices,” he told TechNewsWorld. “Even with the best of intentions, this has the potential to become an issue.”
Coding errors could potentially cause outages and loss of revenue or services in future automated malware removal activities, he explained.
“In addition,” Kron continued, “there may be a lack of notification to the affected organizations. This could become an issue if the automated removal process happens at the same time the device administrators are doing their forensic data collection or removing the malware themselves. Without coordination, this could become a significant issue for an organization.”
“This trend, while beneficial in the short term, is a topic that should be discussed further within the cybersecurity industry, with an emphasis on how to manage notifications to those whose devices have been modified, managing oversight, and potentially the option to opt out of these law enforcement actions altogether,” he added.