This software update is deleting botnet malware from infected PCs around the world

Law enforcement-designed update disconnects machines infected with Emotet malware from command and control servers.
Written by Liam Tung, Contributing Writer

A specially crafted update created by law enforcement has triggered the process of removing the Emotet botnet malware from 1.6 million infected computers around the world.

Emotet was thought to be the world's largest botnet, known for spewing millions of malware-laden spam emails each day. Law enforcement in the US, Canada and Europe conducted a coordinated takedown of Emotet infrastructure in January to rid the web of one of its worst menaces, which was used to spread banking trojans, remote access tools, and ransomware.  

Part of the action involved law enforcement commandeering Emotet's command and control (C2) infrastructure to prevent its operators from using the botnet to spread more malware. As reported by ZDNet in January, law enforcement in the Netherlands took control of two of Emotet's three-tier C2 servers. 

SEE: Network security policy (TechRepublic Premium)

Law enforcement that month delivered an Emotet update that was set to remove the malware from all infected computers on April 25. According to BleepingComputer, Germany's Bundeskriminalamt (BKA) federal police agency created and pushed the uninstall update.  

"Law enforcement officials will deliver an Emotet update, "EmotetLoader.dll" file, which will remove the malware from all infected devices. The run key in the Windows registry of infected devices will be removed to ensure that Emotet modules are no longer started automatically and all servers running Emotet processes are terminated," said security company Redscan.

"However, it is important to note that the switch-off does not remove other malware installed on infected devices via Emotet, nor malware from other sources," it added.

And cybersecurity firm Malwarebytes has now analyzed the law enforcement Emotet uninstaller. Essentially, law enforcement used Emotet's botnet infrastructure to dismantle the malware. 

"The uninstall routine itself is very simple. It deletes the service associated with Emotet, deletes the run key, attempts (but fails) to move the file to %temp% and then exits the process," note the researchers. 

Despite the error in the law enforcement code, they add that the Emotet malware "has been neutered and is harmless since it won't run as its persistence mechanisms have been removed."

According to an FBI press release in January, an FBI investigator's affidavit stated that: "foreign law enforcement agents, working in coordination with the FBI, gained lawful access to Emotet servers located overseas and identified the Internet Protocol addresses of approximately 1.6 million computers worldwide that appear to have been infected with Emotet malware between April 1, 2020, and Jan. 17, 2021." 

Over 45,000 of the infected computers appeared to have been located in the United States.

"Foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement," the FBI said. 

SEE: Remote work makes cybersecurity a top worry for CEOs

"This was done with the intent that computers in the United States and elsewhere that were infected by the Emotet malware would download the law enforcement file during an already-programmed Emotet update. 

"The law enforcement file prevents the administrators of the Emotet botnet from further communicating with infected computers. The law enforcement file does not remediate other malware that was already installed on the infected computer through Emotet; instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet."

Editorial standards