Reading view

There are new articles available, click to refresh the page.

How to tell if a VPN app added your Windows device to a botnet

✇Malwarebytes Labs

On May 29, 2024, the US Department of Justice (DOJ) announced it had dismantled what was likely the world’s largest botnet ever. This botnet, called “911 S5,” infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.

The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is reportedly the proprietor of the popular service.

Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.

Sometimes the VPN applications were bundled with games and other software and installed without user consent.

For this reason, the FBI has published a public service announcement (PSA) to help users find out if they have been affected by this botnet.

Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:

  • MaskVPN
  • DewVPN
  • PaladinVPN
  • ProxyGate
  • ShieldVPN
  • ShineVPN

If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.

If the application doesn’t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:

  • Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.
  • Search for the name of the malicious VPN application.
  • Once you find the application in the list, click on the application name, and select the “Uninstall” option.

Once you have uninstalled the application, you will want to make sure it’s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows button) and select the “Task Manager” option.

In Task Manager look under the “Process” tab for the following processes:

  • MaskVPN (mask_svc.exe)
  • DewVPN (dew_svc.exe)
  • PaladinVPN (pldsvc.exe)
  • ProxyGate (proxygate.exe, cloud.exe)
  • ShieldVPN (shieldsvc.exe)
  • ShineVPN (shsvc.exe)
Example by FBI showing processes associated with ShieldVPN in Task Manager

If found, select the service related to one of the identified malicious software applications running in the process tab and select the option “End task” to attempt to stop the process from running.

Or, download Malwarebytes Premium (there is a free trial) and run a scan.

Whether you’re using the free or paid version of the app, you can manually run a scan to check for threats on your device. 

  1. Open the app.
  2. On the main dashboard, click the Scan button.
  3. A progress page appears while the scan runs.
  4. After the scan finishes, it displays the Threat scan summary.
    • If the scan detected no threats: Click Done.
    • If the scan detected threats on your device: Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking Quarantine.
  5. Click View Report or View Scan Report to see a history of prior scans. After viewing the threat report, close the scanner window.

If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more elaborate instructions. You can also contact the Malwarebytes Support team to assist you.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Man Who Mass-Extorted Psychotherapy Patients Gets Six Years

✇Krebs on Security
BrianKrebs

A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.

On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.

Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.

Finnish prosecutors quickly zeroed in on a suspect: Julius “Zeekill” Kivimäki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, Kivimäki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.

Antti Kurittu is a former criminal investigator who worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).

Kurittu said the prosecution had demanded at least seven years in jail, and that the sentence handed down was six years and three months. Kurittu said prosecutors knocked a few months off of Kivimäki’s sentence because he agreed to pay compensation to his victims, and that Kivimäki will remain in prison during any appeal process.

“I think the sentencing was as expected, knowing the Finnish judicial system,” Kurittu told KrebsOnSecurity. “As Kivimäki has not been sentenced to a non-suspended prison sentence during the last five years, he will be treated as a first-timer, his previous convictions notwithstanding.”

But because juvenile convictions in Finland don’t count towards determining whether somebody is a first-time offender, Kivimäki will end up serving approximately half of his sentence.

“This seems like a short sentence when taking into account the gravity of his actions and the life-altering consequences to thousands of people, but it’s almost the maximum the law allows for,” Kurittu said.

Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.

Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).

Kivimäki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.

The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).

As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over SSNDOB, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.

Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Ville Tapio, the former CEO of Vastaamo, was fired and also prosecuted following the breach. Ransom_man bragged about Vastaamo’s sloppy security, noting the company had used the laughably weak username and password “root/root” to protect sensitive patient records.

Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019. In April 2023, a Finnish court handed down a three-month sentence for Tapio, but that sentence was suspended because he had no previous criminal record.

❌