Chinese security firm Qihoo 360 partnered with Baidu to disrupt a malware botnet called DoubleGuns which had infected more than hundreds of thousands of systems.
DoubleGuns which is one of the largest malware botnets of China targets Windows devices and was spotted in July 2017 by the Qihoo researchers.
Over the past three years, the DoubleGuns trojan has not changed much but has grown in scale. The malware is still mainly distributed via boobytrapped apps shared on Chinese websites, most of them being pirated games available on Chinese social networks and gaming forums.
The main purpose of the malware is to infect users with MBR and VBR boot kits, install malicious drivers, and then steal credentials from local apps, with a focus on Steam accounts.
Besides, DoubleGuns also acts as adware and spamming module by inserting ads on user devices and hijacking QQ accounts to spread ads to the victim’s friends through private messages.
The older versions of the DoubleGuns malware were also found to be hijacking traffic from legitimate e-commerce portals, redirecting infected users to clone sites. But these types of behavior are not found in the latest versions.
The trojan aims primarily at Chinese users and this can be understood from the malware’s source code, which includes functions to disable security software which are mostly Chinese antivirus products.
Qihoo says that since May 14, they’ve been working with Baidu in a joint operation to take down some of the botnet’s backend infrastructure, most of which has been using Baidu’s Tieba image hosting service.
For the past three years, DoubleGuns was downloading images from the Tieba service which contained secret code that provided instructions to the bots on what has to be done on the infected hosts.
Qihoo and Baidu were taking down the images used by DoubleGuns for the past two weeks and were logging connections from infected hosts. They found that the botnet was too huge to be ignored which is estimated at “hundreds of thousands” of infected computers.
However, the disruption is considered temporary because other parts of the botnet’s infrastructure are still running and their operators are still at large.