A Russian botnet known as RSOCKS has been dismantled – but not before infecting millions of devices globally.
Like many botnets, RSOCKS initially targeted Internet of Things (IoT) devices, but it soon expanded to industrial control systems, Android devices, and PCs, according to the US Department of Justice (DoJ). Its specialty was providing cover for large-scale credential-stuffing attacks and other malicious activity by offering clients access to the IP addresses of these nodes for proxy purposes, according to the DoJ.
Via a Web-based “storefront,” users could rent access to a pool of proxies for a specified daily, weekly, or monthly time period, at prices ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.
"The customer could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic," according to the DoJ's statement on the RSOCKS takedown. "It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages."
The DoJ worked with law enforcement in Germany, the Netherlands, and the United Kingdom to disrupt the botnet.