FBI Deletes PlugX Malware from Thousands of Computers

According to a DOJ press release, the FBI was able to delete the Chinese-used PlugX malware from “approximately 4,258 U.S.-based computers and networks.”

Details:

To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is operated by the hacking group. According to the FBI, at least 45,000 IP addresses in the US had back-and-forths with the command-and-control server since September 2023.

It was that very server that allowed the FBI to finally kill this pesky bit of malicious software. First, they tapped the know-how of French intelligence agencies, which had recently discovered a technique for getting PlugX to self-destruct. Then, the FBI gained access to the hackers’ command-and-control server and used it to request all the IP addresses of machines that were actively infected by PlugX. Then it sent a command via the server that causes PlugX to delete itself from its victims’ computers.

Tags: ,

Posted on January 16, 2025 at 7:03 AM11 Comments

Comments

RP January 16, 2025 8:50 AM

Interesting, regarding the legal ramifications of issuing commands to infected computers. Is there, or should there be laws explicitely allowing these kind of operations without explicit user consent? If only for the sake of global internet security, since it is not a technical matter of allowing extra access?

Clive Robinson January 16, 2025 10:27 AM

@ Bruce, All,

There is a fair bit of difference between 4,258 US based PC’s cleaned up and 45,000 IP addresses in the US seen having “back-and-forths”.

Which raises all sorts of questions that have not been answered.

However one that can be answered is the age old,

“How could this have happened?”

And it’s something US legislators the US DoJ and FBI are avoiding saying.

But the answer is,

“Due to lobbying and the like the US has failed to bring in legislation to stop “not fit for market” software being made. The DoJ and FBI have also failed to use the little legislation there is.

In part this was due to the “backdoor desire” but as we have seen the FBI has been forced to change it’s position on E2EE. In part because of alleged Chinese activities critically effecting US National Security and in part because many of the US non law enforcement security agencies have in effect read them the riot act.

But in the main I have reason to believe that “backdoor the crypto” is nolonger the desire it has been for four decades. Because of the oh so much more powerful “Device Side Scanning” that importantly also does an “ET Phone Home” “to the mother-ship” across an open network.

Even though the Device to OS Manufacturer personal and private data flow may be supposadly obscured by “encryption”, we know that any even less than half competent US Guard Labour agency could get the keys etc as the legislation to obtain the keys has been in place for quite some time.

As noted back in the days of the Carrier IQ scandal just about a decade and a half ago,

https://www.engadget.com/2011-12-01-carrier-iq-what-it-is-what-it-isnt-and-what-you-need-to.html

‘https://theweek.com/articles/479745/carrier-iq-cellphone-scandal-insane-breach-trust

It was pointed out on this blog at the time to some disbelief and skepticism that the NSA, –that had a practice of sitting on the backbone and in upstream routers from targets,– were “collecting it all” as it passed by to Carrier IQ’s servers (remember this was a couple of years before the Ed Snowden revelations).

Does anyone realistically think this practice has stopped, or that they would not be targeting user data flowing to Apple, Google and Microsoft?

We as consumers and commercial entities should require rather more than E2EE… We should require as well strong privacy protections (certainly stronger than the EU requirements that are about the best there is, but really not sufficient). Also quite importantly
a suitable level of “fit to market” from Apple, Google and Microsoft, and others they touch in various ways.

After all there has been a bit of a scandal over Apple and it’s new iteration of “Device Side Scanning” and Google over it’s renewed interest in “fingerprinting” users devices. As for Microsoft and Linux… Over the past few days, there have been events that should make any ordinary mortal pause for thought about the lack of quality coming out of Microsoft and process control for the Linux kernel,

https://www.phoronix.com/news/Linux-6.13-Dropping-EXECMEM_ROX

Luckily it was sufficiently bad that it was pulled.

What has not been said sufficiently well is what the code would do if it was functioning correctly, which is,

“The patches adapt Linux x86_64 to use large read only execute (ROX) pages for allocations of executable kernel. And in turn the large ROX pages to map text areas ends up reducing instruction TLB pressure and improving performance.”

I won’t go into details, but whilst “Large-ROX” will improve performance, it also falls foul of

“Security -v- Efficiency”

Thus makes things less secure in several ways.

I can not make my mind up if this is an innocent error or something more sinister by Microsoft.

The fact that it got into the Kernel code with no sign off from anyone should cause some serious eyebrow raising. As such it is a very literal “faux pas” and should cause some changes to procedures.

anon January 16, 2025 4:43 PM

The judges who have approved these measures, as implemented, need to be disbarred, along with the Microsoft and DoJ attorneys. The only action that Microsoft and the DoJ should have been able to take should have been to suspend the ISP accounts, and have the ISP redirect every outbound connection to the ISP’s ‘Contact us at the number on your bill, your account has been suspended’ page.

Dave January 16, 2025 6:23 PM

PlugX merits the word Nasty!

Comment: Looks like it was using ports 443, 80, 110, etc.

Info link: ‘https://darktrace.com/blog/plugx-malware-a-rats-race-to-adapt-and-survive

And passing unreadabe files on the operating system.

So, I am pondering, how are operating systems passing unreadable files?

lurker January 17, 2025 12:48 AM

@Dave
Security by obscurity

Operating systems have always been able to pass files with a dot in front of the name, which makes them invisible to ordinary users. It seems we have progressed now to the invisible dot, or a no-break-space U+00A0

I just created a file with U+00A0 as the first character in its name, It shows up in ls, but while the desktop filename function of Thunar complained a filename should not start with a space it remamed a file like that, and it shows on the desktop.

Next question: why is Windows(TM) still allowed to exist?

Celos January 17, 2025 5:21 AM

I wonder what the legal basis is for that? Here (Switzerland), this would be criminal computer sabotage and the ones doing it on this scale would probably go behind bars. Yes, you can contact the computer owners and even have the ISPs disconnect them, bit that is it. You are not allowed to change anything on a computer without permission, and that permission can only come from the owner. The only exception is an emergency that requires this and cannot be addresses in any other reasonable fashion. But since this malware has been active for years, that would not be the case either.

jamez January 17, 2025 1:50 PM

@anon, that’s not a solution.
that would leave the pc infected, likely without the user’s knowledge, disabling every device in the customer’s house, and they could just hop to the next isp or hotspot, leaving their tunnel to china open.
the removal steps taken by plugx in response to the c2 server command are exactly what needed to happen.

Eclectiqus January 18, 2025 10:42 PM

As I recall reading on the Sekoia.io blog post about this, they were the ones who sinkholed one of four C2 servers, not the FBI. And to avoid legal complications, they created a portal where at least 10 countries were able to submit deletions by IP address, CIDR block or ASN to Sekoia’s team.

and their botconf24 presentation:

The delightful part of the story is that it cost them about $7 and an email to the hosting provider to capture the C2 IP address and 30 minutes later they were looking at 1,000 requests per minute coming in from 90-100k different public IP addresses (representing more than that many devices given NAT and VPNs and such).

Chris Becke January 20, 2025 12:23 AM

The legal basis I imagine would be the same. The took legal control of the command and control servers.

As this infrastructure is fully in every legal sense theirs, they can do with it as they please. The act of connecting to the server to download instructions is going to br argued as implicit consent to execute whatever those instructions are.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.