FBI seizes domain behind major Russian botnet

The Daily Beast says the malware reports back to an infrastructure — either a set of photos the hacking group uploaded on Phobucket or the URL ToKnowAll[.]com — once it has infected a router. That infrastructure then installs plug-ins that can steal log-in credentials or use computers to attack industrial control networks like the power grid’s. Photobucket already deleted those photos, and now authorities have seized the ToKnowAll[.]com to prevent the malware from being able to do anything harmful.

Based on the data the FBI gathered, the malware has to reconnect to an infrastructure every router reboot, so getting control of the ToKnowAll[.]com domain means being able to disrupt the botnet in a big way. The FBI will now be able to see the IP addresses of people whose machines had been infected with the malware. Symantec technical director Vikram Thakur explained to The Daily Beast: “One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs. Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices.”

Since the malware is known to be present in 54 countries, including the United States, router-makers are now encouraging users to reboot their devices and to install the latest firmware to patch the vulnerability.