askST: How do I know if my computer is affected by ‘world’s largest botnet’?

A screengrab of one of the websites that Wang Yunhe used to sell access to IP addresses. SCREENGRAB: INTERNET ARCHIVE
Updated
Jun 03, 2024, 05:00 AM
Published
Jun 03, 2024, 05:00 AM

SINGAPORE - A malware that was allegedly created and disseminated by a Chinese national living in Singapore infected millions of personal computers globally, turning them into a vast network of zombie machines.

Wang Yunhe, 35, purportedly charged as little as US$28 (S$38) for users to tap the computers’ internet protocol (IP) addresses – the unique characters that identify each computer – to carry out all sorts of criminal activities.

These included viewing child exploitation material.

Subscribers to the network – 911 S5 Botnet – were promised anonymity, as all activities were traced back to the zombie computers and their clueless owners.

Millions of home-based Windows computers across the world were affected, with Wang offering access to the IP addresses of 19 million devices, spread across 190 countries.

In the US alone, 613,841 IP addresses were compromised. It is not known how many devices in Singapore were affected.

Wang, who lives in a condominium in Angullia Park, was arrested at his residence on May 24 during a multi-jurisdiction operation led by the US Department of Justice (DOJ).

Get tips to grow your money and career

By signing up, I accept SPH Media's Terms & Conditions and Privacy Policy as amended from time to time.

Yes, I would also like to receive SPH Media Group's
SPH Media Limited, its related corporations and affiliates as well as their agents and authorised service providers.
marketing and promotions.

The probe also involved the Singapore Police Force (SPF), which said it is assisting its American counterparts in the ongoing investigations.

SPF added that Washington has made an extradition request for Wang. The US has an extradition treaty with Singapore.

On May 31, Wang appeared in the State Courts, where he objected to his extradition to the US.

Following the operation, the US Federal Bureau of Investigation (FBI) released information on how to identify devices that have been affected by the malware. However, access to the FBI’s website is blocked to users in Singapore.

The Straits Times unpacks how users here can protect themselves.

Q: What is the 911 S5 Botnet?

A: The 911 S5 Botnet was a network of private computers infected with malware. Created in May 2014, it allowed cyber criminals to make use of compromised IP addresses as proxies.

The malware was distributed as virtual private network (VPN) applications, said the FBI, US Defence Criminal Investigative Service (DCIS) and US Department of Commerce (DOC) in a joint statement on May 29.

The VPN applications are MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN and ShineVPN.

Some users had directly downloaded one of the free VPNs, while others had inadvertently infected their computers, with the VPN hidden in a file, when downloading pirated video games and software.

The DOJ said cyber criminals used the network to commit a slew of crimes, including cyber attacks and large-scale fraud.

The DOJ said users of the botnet made fraudulent claims under the US government’s Covid-19 relief programmes, which resulted in US$5.9 billion in losses.

Q: How do I know if my device is affected?

A: On its website, the FBI says computer users should check for running services by looking at the “Task Manager”.

Under the “Process” tab, search for any of the six VPNs – MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN and ShineVPN.

If “Task Manager” does not detect any of them, click on the “Start” menu and key in each of the VPN names to check if any of the files are present in the computer.

If a file for any of the VPNs is found, right click on it and select “Uninstall”.

Alternatively, click on the “Start” menu and type “Add or remove programs”. If one of the VPNs in the list is found, click on its name and select “Uninstall”.

The FBI said users can verify that all associated files linked to the VPN have been removed by going into “File Explorer”.

“Click on the drive letter ‘C’: – sometimes labelled as ‘Windows (C:)’ – and navigate to ‘Program Files (x86)’.

“Then, look for the malicious software application names in the list of files and folders,” it added.

If nothing is found, then it is likely that the computer is not affected.

Q: How can I protect myself against botnets?

A: The FBI, DCIS and DOC have three recommendations.

The first is to avoid untrustworthy websites and advertisements.

The agencies said users should not download free software or click on any pop-up ads from such websites, as interacting with these pages could lead to malware being installed unknowingly.

Users should also ignore suspicious e-mails. Phishing e-mails are often used to infiltrate devices, especially those with an attachment or link in the e-mail.

Users should also make use of anti-virus software, which can detect and remove malware used to create botnets.

The software should be kept up to date as well, to detect the most recent threats.

Special offer: $0.25/week

Unlimited access to news, lifestyle & multimedia content!

ST One Digital - Monthly

$9.90/month $0.99/month

No contract

$0.99/month for the first 6 months, $9.90/month thereafter. T&Cs apply.

Discover exclusive benefits:

  • All subscriber-only content on ST app and straitstimes.com

  • Easy access any time via ST app on 1 mobile device

  • myST: Follow up to 30 authors and 30 topics

Join ST's Telegram channel and get the latest breaking news delivered to you.