{"id":24598,"date":"2024-05-31T09:10:09","date_gmt":"2024-05-31T17:10:09","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/05\/31\/news-18328\/"},"modified":"2024-05-31T09:10:09","modified_gmt":"2024-05-31T17:10:09","slug":"news-18328","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/05\/31\/news-18328\/","title":{"rendered":"How to tell if a VPN app added your Windows device to a botnet"},"content":{"rendered":"\n<p>On May 29, 2024, the US Department of Justice (DOJ) <a href=\"https:\/\/www.justice.gov\/opa\/pr\/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">announced<\/a> it had dismantled what was likely the world\u2019s largest botnet ever. This botnet, called \u201c911 S5,\u201d infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.<\/p>\n<p>The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is <a href=\"https:\/\/krebsonsecurity.com\/2022\/07\/a-deep-dive-into-the-residential-proxy-service-911\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">reportedly<\/a> the proprietor of the popular service.<\/p>\n<p>Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.<\/p>\n<p>To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.<\/p>\n<p>Sometimes the VPN applications were <a href=\"https:\/\/www.malwarebytes.com\/glossary\/bundler\">bundled<\/a> with games and other software and installed without user consent.<\/p>\n<p>For this reason, the FBI has published a <a href=\"https:\/\/www.ic3.gov\/Media\/Y2024\/PSA240529\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">public service announcement (PSA)<\/a> to help users find out if they have been affected by this botnet.<\/p>\n<p>Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:<\/p>\n<ul>\n<li>MaskVPN<\/li>\n<li>DewVPN<\/li>\n<li>PaladinVPN<\/li>\n<li>ProxyGate<\/li>\n<li>ShieldVPN<\/li>\n<li>ShineVPN<\/li>\n<\/ul>\n<p>If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.<\/p>\n<p>If the application doesn&#8217;t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:<\/p>\n<ul>\n<li>Click on the Start menu (Windows button) and type \u201cAdd or remove programs\u201d to bring up the &#8220;Add and Remove Programs&#8221; menu.<\/li>\n<li>Search for the name of the malicious VPN application.<\/li>\n<li>Once you find the application in the list, click on the application name, and select the \u201cUninstall\u201d option.<\/li>\n<\/ul>\n<p>Once you have uninstalled the application, you will want to make sure it\u2019s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the \u201cTask Manager\u201d option or right-click on the Start menu (Windows button) and select the &#8220;Task Manager&#8221; option.<\/p>\n<p>In Task Manager look under the &#8220;Process&#8221; tab for the following processes:<\/p>\n<ul>\n<li>MaskVPN (mask_svc.exe)<\/li>\n<li>DewVPN (dew_svc.exe)<\/li>\n<li>PaladinVPN (pldsvc.exe)<\/li>\n<li>ProxyGate (proxygate.exe, cloud.exe)<\/li>\n<li>ShieldVPN (shieldsvc.exe)<\/li>\n<li>ShineVPN (shsvc.exe)<\/li>\n<\/ul>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"610\" height=\"199\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/05\/taskmanager.png\" alt=\"\" class=\"wp-image-111326\" \/><figcaption class=\"wp-element-caption\"><em>Example by FBI showing processes associated with ShieldVPN in Task Manager<\/em><\/figcaption><\/figure>\n<p>If found, select the service related to one of the identified malicious software applications running in the process tab and select the option \u201cEnd task\u201d to attempt to stop the process from running.<\/p>\n<p>Or, download Malwarebytes Premium (there is a <a href=\"https:\/\/www.malwarebytes.com\/trial\">free trial<\/a>) and run a scan.<\/p>\n<p>Whether you&#8217;re using the free or paid version of the app, you can manually run a scan to check for threats on your device.&nbsp;<\/p>\n<ol>\n<li>Open the app.<\/li>\n<li>On the main dashboard, click the&nbsp;<strong>Scan&nbsp;<\/strong>button.<\/li>\n<li>A progress page appears while the scan runs.<\/li>\n<li>After the scan finishes, it displays the Threat scan summary.\n<ul>\n<li><strong>If the scan detected no threats:<\/strong>&nbsp;Click&nbsp;<strong>Done<\/strong>.<\/li>\n<li><strong>If the scan detected threats on your device:<\/strong>&nbsp;Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking&nbsp;<strong>Quarantine<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<li>Click&nbsp;<strong>View Report<\/strong>&nbsp;or&nbsp;<strong>View Scan Report&nbsp;<\/strong>to see a history of prior scans. After viewing the threat report, close the scanner window.<\/li>\n<\/ol>\n<p>If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more <a href=\"https:\/\/www.fbi.gov\/investigate\/cyber\/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors\">elaborate instructions<\/a>. You can also <a href=\"https:\/\/support.malwarebytes.com\/hc\/en-us\/p\/contact_support\">contact the Malwarebytes Support team<\/a> to assist you.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\" \/>\n<p><strong>We don&#8217;t just report on privacy\u2014we offer you the option to use it.<\/strong><\/p>\n<p>Privacy risks should never spread beyond a headline. Keep your online privacy yours by using\u00a0<a href=\"https:\/\/www.malwarebytes.com\/vpn\">Malwarebytes Privacy VPN<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/05\/how-to-tell-if-a-vpn-app-added-your-windows-device-to-a-botnet\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> This post will help users find out if their Windows device has been added to the 911 S5 botnet by a malicious VPN application <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[31466,10410,31469,31472,32,31473,5897,27008,31488,31489,10863],"class_list":["post-24598","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-911-s5","tag-botnet","tag-dewvpn","tag-maskvpn","tag-news","tag-paladinvpn","tag-privacy","tag-proxygate","tag-shieldvpn","tag-shinevpn","tag-vpn"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24598"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24598\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}