Malware Botnet Mysteriously Hijacked

John Lister's picture

A malicious network of 500,000 computers used to spread malware around the globe has been taken over by do-gooders in an apparent hijack meant to foil cyber criminals.

Victims of the botnet have not only found the stealth malware removed from their system, but are also receiving an on screen warning to update their computers. It appears the malware creators are themselves the victim of a hack attack by an online vigilante.

Phorpiex Botnet a Decade Old, 500k Strong

The malware concerned is distributed through the Phorpiex botnet, which has been operating for nearly 10 years.

A botnet is a network of infected computers that are in control of one or more entities of a command-and-control operation. The zombie PCs can then be forced to download and pass on new malware to machines connected to the Internet, or to attack websites, servers, and services online in order to disrupt activities.

Phorpiex made news last year when reports suggested that it had shifted focus away from spreading malware, spamming, and hijacking computers in order to "mine" virtual currencies to earn real world cash.

Botnet Had Switched To Blackmail

Instead, the botnet started hitting victims with bogus email messages claiming that "hackers" had infiltrated their PCs, claimed that the user was involved in watching adult content online, then blackmail them with a threat to make it public. That reportedly raked in $115,000 in five months with very little expense or maintenance required by the scammers. (Source:

One particularly creative technique the Phorpiex controllers uses was to search online leak databases for passwords associated with an email address. They would then include the password in the blackmail note as part of a claim to have breached the user's security. (Source:

Rival Cybercriminals Could Be Responsible

Surprisingly, users affected by Phorpiex started seeing pop-up messages in recent days that read "Please install AntiVirus Software and update your computer!"

Initially, security experts feared the message was bogus and simply designed to taunt them, but further analysis found the malware associated with Phorpiex was disappearing from the victims' computers.

One theory is that a "do-gooder" found a way to seize control of the Phorpiex botnet and carry out an act of public service. Another is that owners of a rival botnet took Phorpiex down, possibly out of spite or jealously, or possibly to reduce competition when hiring out botnets to scammers who want an affordable way to carry out a one-off attack.

What's Your Opinion?

Do you think this is the work of a do-gooder? If so, is it a justified operation? Have you seen the pop-up message?

Rate this article: 
Average: 5 (8 votes)


buzzallnight's picture

the password to my email, claimed that I was involved in something illegal and then tried to blackmail me with a threat to make it public.
I changed my password
and they kept making the threat with my old password so I knew they were idiots!!!!!!!!!!!

brigadand's picture

There's always warnings about botnets being circulated, but I've never seen a way of telling if you are on one. Or how to remove yourself from one if you are.