Welcome to the Utopia Forums! Register a new account
The current time is Tue Oct 03 15:28:13 2023

Utopia Talk / Politics / The DOJ is in your computer
Mon Jun 13 16:26:45
How DOJ took the malware fight into your computer

Reaching into people’s computers and removing malware, once controversial inside the government, has gained more acceptance as a tool to thwart hackers.

SAN FRANCISCO — The Justice Department is increasingly seeking and receiving permission to secretly reach into Americans’ computers to delete malware — a shift officials say reflects a growing embrace of aggressive and creative tactics for combating a surge in cyberattacks.

Botnets — armies of hacked computers used to power everything from email spam campaigns to denial-of-service attacks that take down websites — pose a major threat to internet security, as do mass malware infections.

In the past year, federal prosecutors and FBI agents have increased their efforts to defeat botnets and contain malware outbreaks by directly removing malicious code from infected computers, without the knowledge or authorization of those computers’ owners.

“We have gotten more comfortable, as a government, taking that step,” Adam Hickey, a deputy assistant attorney general for national security, said in an interview at the RSA cybersecurity conference in San Francisco.

The latest example of this approach came in April, when U.S. authorities wiped malware off of hacked servers used to control a Russian intelligence agency’s botnet, preventing the botnet’s operators from sending instructions to the thousands of devices they had infected. A year earlier, the Justice Department used an even more expansive version of the same technique to send commands to hundreds of computers across the country that were running Microsoft’s Exchange email software, removing malware planted by Chinese government agents and other hackers.

In both cases, federal prosecutors obtained court orders allowing them to access the infected devices and execute code that erased the malware. In their applications for these orders, prosecutors noted that government warnings to affected users had failed to fix the problems, thus necessitating more direct intervention.

Unlike in years past, when botnet takedowns prompted extensive debates about the propriety of such direct intervention, the backlash to these recent operations was limited. One prominent digital privacy advocate, Alan Butler of the Electronic Privacy Information Center, said malware removals required close judicial scrutiny but acknowledged that there was often good reason for them.

Still, DOJ officials said they see surreptitiously taking control of American computers as a last resort.

“You can understand why we should be appropriately cautious before we touch any private computer system, much less the system of an innocent third party,” Hickey said.

Bryan Vorndran, who leads the FBI’s Cyber Division, said in an interview at RSA that the government’s approach is to “move from least intrusive to most intrusive.”

In the early days of action against botnets, beginning with a 2011 takedown of a network called Coreflood, senior government officials were reluctant to push the limits of their powers.

“With Coreflood, it was, ‘Okay, you can stop the malware, but we’re not going to delete it. That feels like that’s just too much, too fast,’” Hickey said.

In the decade since Coreflood, the government has disrupted many other botnets, but not through malware removals. Instead, authorities employed techniques such as seizing websites used to route hackers’ instructions and redirecting those instructions so they never arrive.

Typically, when the FBI wants to take down a botnet that hackers have assembled by infecting vulnerable routers or other products, the bureau begins by working with device manufacturers to issue warnings to customers. The number of remaining infected devices powering the botnet drops off very quickly after these warnings, Vorndran said, “but it doesn’t get anywhere close to zero.”

Next comes direct outreach to the remaining victims. In the case of the Russian government botnet, FBI agents notified hundreds of victims that they should patch their devices. To address the Exchange crisis, the FBI and Microsoft contacted thousands of vulnerable organizations. But even after that step, Vorndran said, “we’re left with something remaining, where there’s still a usable vector for attack.” The Russian government botnet — which included computers in states such as Texas, Massachusetts, Illinois, Ohio, Louisiana, Iowa and Georgia — still retained about 20 percent of its command-and-control servers after the FBI’s victim notifications.

“The question becomes, what do we do?” Vorndran said. “Should the adversary still have the opportunity to utilize these to conduct an attack, whether inside the United States or [elsewhere]? And our answer to that will always be ‘No,’ especially when we have the legal authorities and the capability to neutralize that botnet.”

This is when malware removal comes into play.

After identifying infected devices, the government asks a court for permission to send commands to those devices that will cause the malware to delete itself. Essentially, the FBI uses the malware as a point of entry to the infected computers — it doesn’t need to hack the computers itself, because it’s piggybacking on someone else’s hack. These operations rely on intelligence that the bureau gathers about the botnet in question, including, sometimes, the passwords necessary to control the malware. A court’s permission is necessary, at least for devices in the U.S., because accessing them constitutes a search under the Fourth Amendment.

DOJ officials cited several reasons for the recent embrace of this tactic.

One is new leadership. Deputy Attorney General Lisa Monaco has been a key proponent of this strategy, having seen the value of disruption operations during her time as White House homeland security and counterterrorism adviser.

“The political leadership currently has seen this has been done before [and] is very forward-leaning,” Hickey said.

Senior officials are also more willing to sign off on aggressive actions because they understand the technology better. “They can ask questions of the FBI to assure themselves, ‘What have you done to test this? How’s it going to work?’” Hickey said, “and so they’re comfortable moving forward with an [operation] like that.”

The public generally seems to be on board, too. “We have done things like this a number of times where I don’t feel like people are like, ‘Are you crazy?’” Hickey said. “There’s still an appropriate level of scrutiny of these operations, but I think we have established credibility and trust.”

Whereas in the past it was hard for prosecutors to justify intrusive actions to their superiors, Hickey said, it is now harder for them to justify not taking those actions and leaving a botnet intact. “We’ve gotten to this point where we’re like, okay, if we’ve tested [our code], if we’ve worked with the manufacturer, if we’ve done everything we can to ensure there will not be collateral damage, why would we just leave the malware there?”

These changes have not just been driven by an increased comfort with reaching into people’s computers. Companies whose products are being abused are now more likely to share what they know with the government, according to Hickey. “They don’t have the authority to get a search warrant,” he said, “but they know that we will do that.”

In addition, the FBI, as part of a broader shift toward disrupting hackers, has begun devoting more personnel and resources to the difficult work of developing the tools necessary for these operations.

“We still do believe in taking players off the field,” Vorndran said. “But at the end of the day, if there’s an adversary that has an attack vector available, we’re going to do everything we can to neutralize that.”

Malware removals are only likely to become more common as botnets continue to proliferate, the FBI’s expertise with this technique grows and DOJ leaders’ familiarity with the strategy increases.

There has been “an evolution of our thinking” about how to stop botnets, Hickey said, as prosecutors have developed greater “risk tolerance” for complicated operations and department leaders have recognized a growing “confidence by the public and Congress.”


Mon Jun 13 16:42:07
Bit clickbaity, these were enterprise servers, not personal computers, and they didn't show up and install shit, they used the same malware vectors as the hackers.
Mon Jun 13 17:01:31
Kinda funny that they used the botnet to delete the botnet though, lol.
Mon Jun 13 18:24:19
OMG!!! let them out, were in a heatwave.
Mon Jun 13 19:42:22

It's the DOJ in your computer, not Prince Albert in a can.

Too bad Prince Andrew isn't in the can. ;o)

Tue Jun 14 00:18:47
"they used the same malware vectors as the hackers."

I can't quite articulate why (but will give it a shot below), but using the malware that's already there, to delete the malware itself, makes me a lot more comfortable with it.

We stop forest fires with controlled burns, after all, inclusive of intruding on private property. I would argue that is more intrusive, since in many/most cases they're going onto as-yet-unaffected private property to do those controlled burns, to dig those fire break trenches, and so on.

Here, you get to control your own fire suppression systems. The fire marshal is apparently giving you notice that you're shit isn't up to code, and so on, and you're ignoring it. After your building is on fire, sorry, it's too late, it's a public threat to the other buildings nearby, it needs to be put out, the firefighters do not need your permission to go in there.
Tue Jun 14 04:14:35
A that fire can spread to any house anywhere in the country or the planet, one not constrained by the physical proximity.
Tue Jun 14 08:44:48

I've just always assumed that the government was in every system. At least this way they are doing something helpful. ;o)

Tue Jun 14 09:59:04
>I've just always assumed that the government was in every system

The only smart assumption to make. Even if they don't you should act like they do, because they probably do, and definitely will.
Tue Jun 14 10:19:12

Yes. I always say that when it comes to government surveillance, if they have the capability and can afford to, then they are doing it.

Tue Jun 14 10:21:35
And the USA complains that China and Chinese companies are malware and are spying. Lol!
Tue Jun 14 10:24:22

Yeah but we're the good guys. :oP

Tue Jun 14 10:24:45
Nice whataboutism, very convincing
Wed Jun 15 06:46:14
A good guy doesn’t spy on my shit.
Wed Jun 15 07:04:45

We have to to keep you safe from the bad guys. ;o)

show deleted posts

Your Name:
Your Password:
Your Message:
Bookmark and Share