Cyberwarfare Up-Close: United States Forces Vs North Korean Joanap Botnet
A team composed of members coming from U.S. Airforce, DOJ and FBI are assembled in order to track down and stop the operation of the alleged North Korean-funded botnet named Joanap, in full accordance to a court ruling from the U.S. District Court for the Central District of California. “This court finds that there is probable cause to believe that the IP addresses and other related information to be obtained from the computers infected with the Joanap malware, will constitute or yield evidence of violations of federal offenses, including Title 18, United States Code, Section 1030, being committed by North Korean subjects of the government’s investigation who are not yet identified, which investigation is ongoing in the Central District of California,” explained the court.
The Joanap botnet has been in existence since 2009 when it first detected while distributing a version of Brambul malware, an SMB worm at that time. It was a successful infection campaign as many unpatched Windows servers have SMB sharing services enabled. With 10 years of thriving existence, Joanap expanded further as there are still lots of Windows computers online with unpatched SMB.
“The search warrant allowed the FBI and AFOSI to operate servers that mimicked peers in the botnet. By pretending to be infected peers, the computers operated by the FBI and AFOSI under the authority of the search warrant and order collected limited identifying and technical information about other peers infected with Joanap (i.e., IP addresses, port numbers, and connection timestamps). This allowed the FBI and AFOSI to build a map of the current Joanap botnet of infected computers,” said the U.S. Prosecutor team that handles the case.
The FBI and Airforce use a special honeypot in order to deliberately become part of the botnet and investigate the operation of Joanap up-close. This capability is the main reason why they were able to initially map the operations of the malwa, they were also able to identify the closes routers and firewalls where traffic and packets containing instructions are sent and received.
“Using the information obtained from the warrant, the government is notifying victims in the United States of the presence of Joanap on an infected computer. The FBI is both notifying victims through their Internet Service Providers and providing personal notification to victims whose computers are not behind a router or a firewall. The U.S. government will coordinate the notification of foreign victims by contacting the host country’s government, including by utilizing the FBI’s Legal Attachés,” added the U.S. Prosecutor team.
All mainstream antivirus products today have Joanap malware identified in their virus signatures, that will help lessen the chances of the botnet to continue growing. However, due to the persistent usage of unpatched computers that are available online, it will take a while for this botnet to actually shrink in size.
“Our efforts have disrupted state-sponsored cybercriminals who used malware to establish a computer network that gave them the ability to hack into other computer systems. While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet. The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cybercriminals from using botnets to stage damaging computer intrusions,” said Nicola Hanna, U.S. Attorney.