RSocks criminal botnet taken down

David Strom 22 Jun 2022

RSocks compromised its victims by brute forcing attacks on various IoT devices as well as smartphones and computers.

Last week, the US Department of Justice announced the takedown of Russian IoT botnet and proxy service for hire RSocks. Working with various European law enforcement agencies, the FBI used undercover purchases of the site’s services to map out its infrastructure and operations. 

RSocks compromised its victims by brute forcing attacks on various IoT devices (such as industrial control systems, streaming devices and smart garage door openers), as well as smartphones and computers. In its investigation, the DoJ found thousands of compromised entities, including universities, a TV studio, and various home-based businesses and individual consumers, beginning with investigations based in the San Diego area. By the operators of RSocks own admission, they had collected more than 8 million devices as part of their criminal network, including 1 million mobile IP addresses. The DoJ said it became aware about the botnet in 2017 when it had compromised over 350,000 devices.

RSocks made it very easy for other criminals to purchase a range of IP addresses. They ran a web-based storefront where users could rent address pools for a period of time (from days to months) at prices starting from $30 a day for 2,000 addresses. Just another small business — not! 

We’ve written about criminal uses of proxy services before, but as a refresher, they have legit uses to provide a range of IP addresses as a way to bypass censorship or geo-blocked content. Many businesses make use of reverse proxies as a way of securing their remote offices too. The RSocks enterprise was used as a mechanism to penetrate networks and distribute malware that could be used in credential stuffing attacks or sending phishing attacks. Basically, anything a hacker could cook up that required a bunch of endpoints to control for their nefarious purposes.  

The RSocks botnet isn’t the first (Russian or otherwise) botnet to be taken down. Earlier this year, another FBI operation disrupted the botnet known as Cyclops Blink. This was operated by a group of hackers working for Russia’s GRU, the country’s military intelligence unit. And fortunately, there have been numerous other botnet takedowns over the years, such as Trickbot back in 2020, Geost botnet in 2019 and the Hide ‘N Seek botnet in 2018. What is noteworthy about RSocks is how long it has operated and the sheer size of its network. Other notable botnets taken down by private parties include Gluteba (taken down by Google in 2021) and Necurs (taken down by Microsoft in 2020), which at the time had collected 9 million computers under its control. 

Brian Krebs investigated the origins of RSocks and found 35-year-old Denis Kloster as possibly the individual who is responsible for the botnet as well as running one of the largest Russian-based criminal forums. Krebs also claims that the botnet has been in operation since 2014, when he found mention of it on multiple Russian-language cybercrime forums.

Is your computer part of a criminal botnet?

That is hard to say. Certainly, if you notice your computer is busy when it should be idle or connecting to things that it shouldn’t, that could be a sign it is infected and under someone’s control. But it could be caused by badly-behaving software too. One way to determine this is to make use of Avast BreachGuard to determine if your personal information has been part of any data breach.

What are some ways to stop botnet attacks?

There's no magic bullet for stopping crime-based botnets because it is easy for criminals to create and scale up these botnets with all sorts of compromised devices.

However, you should follow some of these basics:

  • First off, you keep your OS and major software packages up to date with current patches and updates.
  • Don’t click on online links and don’t download anything from untrusted sources.
  • Use antivirus software (or better protection as mentioned above) and make sure it is being updated.

Also, you should examine all your gear – including routers and other IoT devices – and turn off SSH access if you aren’t using it or change it to a non-standard port if you are. If you can employ MFA to protect your login credentials, you should, as we have mentioned many times before.

If you're in the market for a new ISP, make sure you vet them by searching on ISPs that have been used by criminals in the past and steer clear of them. You should also identify all your IoT gear and then change default logins on all devices if you can.

--> -->