Google has successfully obtained a restraining order against a cyber gang known as the CryptBot crew, which it accused of ripping off Google product names, trademarks and icons to sell rogue software distribution services. The company also claimed the gang had operated a botnet, which had stolen the personal data of hundreds of thousands of US victims. The gang has been accused of stealing browser passwords, screenshots, cryptocurrency account data and other personally identifiable information. The gang is allegedly based in Pakistan and did not attend court to defend itself. The court found in favour of Google, concluding that the company had shown “a likelihood of success” in respect of numerous charges, including violating the Computer Fraud and Abuse Act, trademark rules and racketeering laws.
The court order not only demands that the alleged criminals stop committing crimes, but also authorises Google to identify network providers whose services directly or indirectly make the criminality possible, and to “request that those persons and entities take reasonable best efforts” to stop the malware and data theft. The court order covers blocking network traffic that is known to be going to or coming from domains associated with the CryptBot crew. The final network hops taken by any malicious traffic that reaches US victims is almost certain to pass through ISPs that are under US jurisdiction, so they may end up with legal responsibility for actively filtering out any malicious traffic.
The restraining order does not demand any snooping on, sniffing out or saving of any data that’s transferred, it merely covers taking “reasonable steps to identify” and “reasonable steps to block” traffic to and from a list of identified domains and IP numbers. Additionally, the order covers blocking traffic “to and/or from any other IP addresses or domains to which Defendants may move the botnet infrastructure,” and gives Google the right to “amend [its list of network locations to block] if it identifies other domains, or similar identifiers, used by Defendants in connection with the Malware Distribution Enterprise.”
It is uncertain whether this will have any significant effect on CryptBot operations or whether the gang will simply re-emerge under a new name, using new malware and different servers. However, with the gang now publicly named, any dent in its activities is likely to be helpful. To reduce the risk of zombie malware compromise, users are advised to stay away from sites offering unofficial downloads of popular software, beware of assuming that the first result from a search engine is the official site for any product, consider running real-time malware blocking tools, and never be tempted to go for pirated or cracked programmes. Instead, find free or open-source alternatives from genuine download servers.
