This article is more than 1 year old

Team America tries to crash Little Rocket Man's Joanap botnet from within, warns owners of infected boxes

So lonely, so lonely without my hacked PCs

Analysis Uncle Sam has infiltrated and somewhat knackered what it claims is a North Korea-operated botnet of hijacked Microsoft Windows computers.

US prosecutors reckon Park Jin Hyok – a suspected Sony Pictures and WannaCry hacker living in Kim Jong Un's hermit nation – built and managed the Joanap botnet, a globe-spanning network of commandeered systems, and used it to launch further cyber-attacks on various targets.

Here's how systems were infected and press-ganged into the botnet, which has been running since 2009, as alleged: first, the Brambul malware, which is a Server Message Block (SMB) worm, infects public-facing boxes, and those on internal networks, via their Windows file-sharing services. It typically brute-forces its way into systems by guessing the necessary password from a list of common passphrases.

Once Brambul is in, it runs the Joanap software nasty, which press-gang the computer into joining the botnet run by its operators, we're told. Joanap effectively opens a backdoor, allowing the infected computer to be remotely controlled by its masterminds.


Hadoop coop thrown for loop by malware snoop n' scoop troop? Oh poop


In October last year, the FBI and the US Air Force Office of Special Investigations (AFOSI) obtained a search warrant [PDF] from a California court to infiltrate the botnet, allowing the g-men to analyze and potentially disrupt its operations from within. This also meant the Feds can alert people who have been infected, by monitoring the IP addresses of the systems joining the network. Folks were, or will be, tipped off via their ISPs, or governments, depending on where they are in the world, it is claimed.

This approach is necessary, we're told, due to the peer-to-peer nature of the Joanap botnet's communications channels. Devices infected by the malware exchange between themselves so-called peer lists of IP addresses of other infected machines, allowing an ad-hoc network to form. Rather than seizing one or two central command-and-control servers, agents had to therefore add their own systems, masquerading as hijacked devices, to the network, allowing them to observe it by requesting peer lists from hijacked nodes.

A search warrant was needed because it involved scanning people's computers for network ports opened by Joanap – 80, 110, or 443 – and sending commands to those boxes on an open port requesting their peer lists. The judge allowed the agents to "seize" the following "property," as a result of that warrant:

The IP addresses of infected machines; the network ports used in their encrypted communications; the commands used to talk to the bot; the pseudo-random string of text used to authenticate one bot to another; the peer lists; system time on the infected machines; and where or not the machines are individually accessible.

Other information, such as system details and configurations, were not allowed to be recorded and kept on file.

Bugs bugged

Interestingly, the g-men had to extend a previous warrant, granted earlier in 2018, by an extra 30 days due to a bug in their code: the FBI's machines told other nodes in the botnet that they were inaccessible, when really the nodes were accessible. That hampered the Feds' operation, forcing agents to fix the bug in September and go back to the court to ask for an extension in October.

Essentially, Uncle Sam's code, which pretended to act as the botnet malware, would, as well as request lists, send its own peer list to infected nodes that would contain the IP addresses of the FBI's servers. These lists would propagate through the peer-to-peer network, causing more infected machines to contact the FBI's boxes, and thus help agents build up a bigger picture of the scale of the botnet. The aforementioned bug caused infected peers to stop using certain ports, thinking they were firewalled off, preventing the propagation of FBI's IP addresses.

Technically speaking, the FBI obtained a string of Joanap search warrants over 2018, the latest being an extension for more surveillance time after addressing their programming flaw.

The Feds claim they were able to disrupt the botnet, but did not specifically explain how. Presumably, they used the IP addresses in the exchanged peer lists to locate the owners of infected machines and tell them they had been pwned, so the malware could be scrubbed off the boxes, thus reducing the size of the network. The aforementioned bug also disrupted communications between peers until the flaw was fixed.

"Computers around the world remain infected by a botnet associated with the North Korean Regime," Assistant Attorney General John Demers said in announcing progress in the case on Wednesday. "Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data."

Here's how US prosecutors explained it in more detail:

The search warrant allowed the FBI and AFOSI to operate servers that mimicked peers in the botnet. By pretending to be infected peers, the computers operated by the FBI and AFOSI under the authority of the search warrant and order collected limited identifying and technical information about other peers infected with Joanap (i.e., IP addresses, port numbers, and connection timestamps). This allowed the FBI and AFOSI to build a map of the current Joanap botnet of infected computers.

Using the information obtained from the warrant, the government is notifying victims in the United States of the presence of Joanap on an infected computer. The FBI is both notifying victims through their Internet Service Providers and providing personal notification to victims whose computers are not behind a router or a firewall. The U.S. government will coordinate the notification of foreign victims by contacting the host country’s government, including by utilizing the FBI’s Legal Attachés.

According to the Feds, Windows Defender Antivirus and third-party anti-malware tools will detect and kill Joanap. Using strong SMB credentials will keep Brambul at bay.

“Our efforts have disrupted state-sponsored cybercriminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” said US Attorney Nicola Hanna.

“While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet. The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cybercriminals from using botnets to stage damaging computer intrusions.”

News of the covert operation comes just one day after America's head of national intelligence warned that North Korea was among the nations looking to target US government and private sector companies with cyberattacks.

Unlike other nations that seek primarily to gather government and corporate intelligence information, North Korea has sought to use malware and cyber-attacks as a fundraising effort, focusing its efforts on banks and other targets that can be used to fill the isolated authoritarian regime's coffers. ®

More about


Send us news

Other stories you might like