BSI paralyzes communication of 30,000 BadBox drones

Around 30,000 devices across Germany are infected with the BadBox malware. These include Internet-of-Things devices such as digital picture frames or media players – that were equipped with the malware at the factory; however, smartphones and tablets are also said to be affected internationally. The BSI has now been able to interrupt their communication with the command-and-control servers of the criminals behind the malware.

The BSI announced on Thursday of this week that in all cases known to the BSI, the BadBox malware was already installed on the respective devices –, which typically come with outdated Android versions –, at the time of purchase. The malware offers a range of functions for the masterminds to use to cause damage.

Multifunctional BadBox

BadBox can create undetected accounts for email and messenger services, which can be used to spread fake news, for example. The malware also has a built-in function for advertising fraud; it can surf websites in the background. It can also serve as a so-called residential proxy, which usually allows criminals to disguise its origin. They then use it to carry out illegal activities such as cyberattacks or the distribution of illegal content. Law enforcement officers then target the IP addresses of those who operate such infected devices.

The BSI has now been able to block communication between infected devices and control servers with a so-called sinkholing measure. The authority registers the domains used for malware communication and redirects the messages to its own servers.

The BSI does not want to name affected products, as identical variants are sold under different names on the Internet. Affected consumers should be informed by their Internet providers about the suspected infection. The individual providers provide different information; the details may therefore vary. The BSI asks that recipients take these notifications seriously and check all Internet-enabled devices in the local network. Affected devices should be disconnected from the network immediately. Consumers who have not been informed should also check their devices, the BSI further recommends. However, the recommendation has one drawback: the BSI does not specify how this check can be carried out – and there is no special tool available for this. The BSI also does not list any indications of an infection (IOCs).

The BSI also recommends paying attention to security features at the time of purchase and checking purchased devices right from the start. Official manufacturer support, current versions of the respective operating system and a look at the reliability of the manufacturer are also recommended.

Law enforcement agencies and IT security authorities are repeatedly able to strike blows against criminal botnets. At the end of September, for example, the US FBI was able to shut down the huge "Raptor Train" IoT botnet consisting of home routers, webcams and NAS devices.

(dmk)