topic Taking apart a botnet ... in Industry News https://community.isc2.org/t5/Industry-News/Taking-apart-a-botnet/m-p/18639#M2196 <P>The <A href="https://nakedsecurity.sophos.com/2019/02/04/fbi-burrowing-into-north-koreas-big-bad-botnet/" target="_blank" rel="noopener">FBI is messing with Joanap</A>, a botnet run by a major North Korean blackhat group.</P><P>&nbsp;</P><P>Joanap itself is fairly complicated, with infections being started by an SMB worm, which then installs the Joanap RAT (Remote Access Trojan).&nbsp; Command and control is done via a peer-to-peer distributed network.</P><P>&nbsp;</P><P>Which is where the FBI comes in.&nbsp; A court in the US granted them permission to set up fake servers pretending to be controllers on Joanap.&nbsp; As such, they could spy on individual machines, collect information, or even install software (possibly to remove the infections and patch vulnerabilities).</P><P>&nbsp;</P><P>In examining the <A href="https://community.isc2.org/t5/Chapters/Vancouver-Chapter-Ethics-of-Active-Defence-Feb-8/m-p/18596" target="_blank" rel="noopener">ethics of active defence</A>, I find this fascinating.</P><P>&nbsp;</P><P>I'm pretty sure than in Canadian law the FBI action would actually be illegal, which is possibly why they are contacting host governments in the cases of non-US victims.</P><P>&nbsp;</P><P>(Oh, and remember to patch your systems, which is the only reason the blackhats were able to build Joanap in the first place ...)</P> Mon, 09 Oct 2023 09:06:14 GMT rslade 2023-10-09T09:06:14Z Taking apart a botnet ... https://community.isc2.org/t5/Industry-News/Taking-apart-a-botnet/m-p/18639#M2196 <P>The <A href="https://nakedsecurity.sophos.com/2019/02/04/fbi-burrowing-into-north-koreas-big-bad-botnet/" target="_blank" rel="noopener">FBI is messing with Joanap</A>, a botnet run by a major North Korean blackhat group.</P><P>&nbsp;</P><P>Joanap itself is fairly complicated, with infections being started by an SMB worm, which then installs the Joanap RAT (Remote Access Trojan).&nbsp; Command and control is done via a peer-to-peer distributed network.</P><P>&nbsp;</P><P>Which is where the FBI comes in.&nbsp; A court in the US granted them permission to set up fake servers pretending to be controllers on Joanap.&nbsp; As such, they could spy on individual machines, collect information, or even install software (possibly to remove the infections and patch vulnerabilities).</P><P>&nbsp;</P><P>In examining the <A href="https://community.isc2.org/t5/Chapters/Vancouver-Chapter-Ethics-of-Active-Defence-Feb-8/m-p/18596" target="_blank" rel="noopener">ethics of active defence</A>, I find this fascinating.</P><P>&nbsp;</P><P>I'm pretty sure than in Canadian law the FBI action would actually be illegal, which is possibly why they are contacting host governments in the cases of non-US victims.</P><P>&nbsp;</P><P>(Oh, and remember to patch your systems, which is the only reason the blackhats were able to build Joanap in the first place ...)</P> Mon, 09 Oct 2023 09:06:14 GMT https://community.isc2.org/t5/Industry-News/Taking-apart-a-botnet/m-p/18639#M2196 rslade 2023-10-09T09:06:14Z