On Sunday, Europol will end a three-month-long process of dismantling the Emotet botnet by triggering a time-activated .dll to delete malware from the systems.. (Europol)
On Sunday, Europol will end a three-month-long process of dismantling the Emotet botnet. A time-activated .dll sent to victim machines will delete malware from the systems.
In advance of the Europol move, security pros are praising it as a necessary step that, if all goes correct, will happen with no knowledge from individuals. But the move might raise interesting secondary effects to security, including to forensics.
“CISOs that are unaware of the existence of Emotet on their networks will likely not notice its removal,” said Austin Merritt, cyber threat intelligence analyst at Digital Shadows.
Of course, Emotet’s final undoing comes two weeks after a similar FBI operation sent a kill command to hundreds of Microsoft Exchange servers, ordering web shells to delete themselves. But there are differences in subtlety and scope.
When Europol announced the takedown of Emotet in January, it immediately started shipping the delete .dll, giving organizations a three-month period for network managers to investigate, and find and delete Emotet on their own. With that period done, remaining organizations with affected systems won’t be notified of the action taken. The FBI sent the kill command with no warning, but notified all affected parties after the fact.
The FBI web-shell takedown was immediately well-received by the infosec community as a whole. Chad Pinson, president of digital forensics, incident response, investigations and engagement management at Stroz Friedberg, said the three-month buffer from Europol all but guarantees this would be received the same way.
“If haven’t done anything at this point, you’re probably not going to know it was deleted either,” he said.”I think a lot of the people that would have a problem with this will never realize they have a problem to have.”
That obliviousness has the potential to cause additional issues. If Emotet disappears without a trace, even while enterprises may be better off without the malware, they will also lose a useful indicator of what happened on their network.
Knowing you had Emotet is the first step towards protecting against threats similar to Emotet, said Merrit.
“Analyzing for traces of Emotet in the next 48 hours is advisable,” he said.
Right now, the FBI and Europol are the only two law enforcement agencies known to lead operations of this sort. But with the FBI’s success and Europol’s potential success, many expect these types of takedowns to become a more permanent part of the landscape.
The fact that Europol is already involved may be an indicator of how common these types of opporations will be in the future.
“Europol doing this is interesting,” said Todd Carroll, former deputy agent in charge of the FBI’s Chicago field office and former agent and current chief information security officer of CyberAngel. “The way U.S. laws are written, and the abilities and capabilities of U.S. intelligence, make these types of things easier” in the U.S. versus Europe. European countries often ask the United States to handle more invasive operations for that reason.
That said, the two operations demonstrate a range in how far law enforcement is willing to go in taking control of victims’ system. The FBI’s kill command operated within the web shell’s own framework. Europol is adding an entirely new module to Emotet. If the intrusiveness continues to escalate, said Pinson, the odds of collateral damage increase.
“We have to run scripts in environments all the time, and they do not always work the way you think they will,” he said. “Someone’s going to be disappointed on the back end of this.”
Like with the FBI’s Exchange Server activities, the Europol fix for Emotep does not mitigate all potential results of an infection. Emotet could install other malware. That malware will still be there, said Felipe Duarter, a security researcher at Appgate.
“If you were infected previously and it did try to deploy an additional payload or tried to run an additional module, those damages will still be there,” he said.
All in all, most researchers expect real benefit from the Europol operation, increasing the cost of doing crime and indicating a new defensive landscape.
“It puts the onus on the attackers to figure out, ‘what do we do next? How do we change our tactics?’” said Ian Gray, senior director of intelligence at Flashpoint. “Borrowing a phrase from Cyber Command, it’s a defend forward type of stance. It really does change the dynamic where the defenders are now more in control.”