NSA Has A 50,000 Computer Botnet From Secretly Installing Malware Around The Globe

from the keeping-us-safe...? dept

Over the weekend, the Dutch media operation NRC published yet another Ed Snowden slide, showing how the NSA had infected 50,000 computer networks with malware. The only really new thing here is the number. We already knew the NSA's TAO (Tailored Access Operations) group was infecting computers around the globe using packet injection, via a system it calls "quantum injection", and that it's used these to install malware on key computers inside Belgacom, the Belgian telco giant. However, the latest report basically shows that the NSA has been able to compromise computers and networks in the same manner all around the globe:
As NRC notes, the earlier reports from the Washington Post had estimated about 20,000 successful "implants" in 2008. So it appears that the NSA has more than doubled its malware installations in the past four or five years. Of course, looking at the chart, you can see some interesting tidbits. The blue dots are "Large Cable," which appears to be key fiber optic cable endpoints that they've tapped into. From the description it appears some of those taps are "covert," while others are "cooperative" (thanks, AT&T!). CNE is "Computer Network Exploitation" and you can see that targeted in areas of interest. A bunch in China and India. A lot in the Middle East. A bunch in Russia and then Mexico and South America. Basically, the NSA has access to... just about anything it wants.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Drew, Nov 25th, 2013 @ 3:49am

    I wonder if AV Companies white list it?

    If they do it would only take one hacker to cause freaking pandemonium on a global scale...

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      HerpDerp, Nov 25th, 2013 @ 4:25am

      Re:

      Peter Norton has stated previously he was willing to white-list carnivore. Symantec would be a good place to start.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Nov 25th, 2013 @ 5:45am

        Re: Re:

        Of course, Peter only sold his business to Symantec, but it wouldn't surprise me in the slightest if they didn't share a common philosophy.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      That One Guy (profile), Nov 25th, 2013 @ 4:33am

      Re:

      Hackers? They're not the big worry, the big problem with the NSA infecting as many important networks/computers as they can is 'What happens if the public and government turns against them, demand they step down and are prosecuted for their actions, and they don't feel like going quietly?'

      With so many compromised systems, they are in a position to make things very ugly to any government or group that challenges them, and given their actions so far, I wouldn't put it past them at all, to if not perform such an action, at least hint at it to discourage any potential opposition.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 25th, 2013 @ 6:22am

      Re:

      I wouldn't be surprised to find that AV companies are cooperating with the NSA to actually infect machines.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Nov 25th, 2013 @ 2:14pm

        Re: Re:

        Why even bother with infecting a machine with malware when the AV scanner is already installed? It will work just fine as a trojan by itself.
        Checked the EULA coming with your AV package lately? Have a look under the header "Privacy" or something similar. You'll find that they have essentially given themselves the right to send just about anything off your system to their databases. Files, programs, personally identifiable information, MAC addresses, IP number - everything.
        How many other US companies besides Apple, Google, Microsoft, Verizon, etc were listed in Snowdens documents? 100+ that weren't named IIRC. Want to bet some money there are a few AV companies involved? I wouldn't.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Nov 25th, 2013 @ 3:51pm

          Re: Re: Re:

          Speaking of Microsoft, in the past Microsoft has built an NSA key directly into Windows. Google windows nsa key.

           

          reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Nov 25th, 2013 @ 7:51am

      Re:

      it would only take one hacker


      The NSA is a black-hat hacker.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 25th, 2013 @ 7:54am

      Re:

      How would the AV respond to the infection.

      "3 infected files found to be infected with the NSA Botnet Spyware. Please contact the NSA for removal instructions"

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 25th, 2013 @ 4:15am

    So can we get some arrests made under the various computing fraud acts they must have violated?

    Oh and the title needs some love.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 25th, 2013 @ 4:21am

    Snail mail and filing cabinets full of paper are about to make a comeback, at least for anything that people wish to keep secret from governments.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 25th, 2013 @ 4:53am

    "The botnet population is huge. According to a study by McAfee, "at least 12 million computers around the world (are) compromised by botnets."

    I did not think 50,000 seemed like a very big botnet.

    NSA needs to lift their game, I am sure Anonymous could easy do better than 50k bots !!!!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 25th, 2013 @ 4:58am

    interesting !!!

    10 most wanted American botnets..

    No. 1: Zeus
    Compromised U.S. computers: 3.6 million

    No. 2: Koobface
    Compromised U.S. computers: 2.9 million

    No. 3: TidServ
    Compromised U.S. computers: 1.5 million
    .
    .
    .
    No. 10: Conficker
    Compromised U.S. computers: 210,000


    Again, I find it hard to get all excited that NSA has a 50k botnet, and would have expected better from them..

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      silverscarcat (profile), Nov 25th, 2013 @ 5:03am

      Re: interesting !!!

      50 K NETWORKS

      Not computers

      Network > Computer

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 25th, 2013 @ 5:15am

      Re: interesting !!!

      The NSA compromised machines are not a bot net, but rather machines that are individually accessed to find files of interest, gain access to metadata etc. Use of these machines will require thousands of NSA employees to give the interesting ones the individual attention they need.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 25th, 2013 @ 5:43am

      Re: interesting !!!

      The only thing that gets darryl excited is suing dead grandmothers so he can fuck their corpses with DMCA notices.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Rain Day, Nov 25th, 2013 @ 1:44pm

      These all only infect WINDOWS!

      Stop using Windows, for the love of Pete, just STOP Using Windows. Why is it that no one ever points out the obvious problem: It's Windows, ALL VERSIONS, so stop using it.

      Seriously, just say no to Windows.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 25th, 2013 @ 7:10am

    This is just simply terrifying.
    If they want to convince people that they're the good guys, they need to stop acting like supervillains.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    united hackers association says fook you, Nov 25th, 2013 @ 7:14am

    and yes i have proof

    but your not seeing it

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 25th, 2013 @ 7:23am

    But. Terrorism.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 25th, 2013 @ 7:48am

    What a waste of taxpayer money

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 25th, 2013 @ 7:52am

    Ditch anti-virus software

    Firstly, their infections would be noticed and removed, and computers are continuously upgraded so the 50000 would be the current count of how many servers they seized control of, minus how many they lost control of.
    So 50000 is likely to be the current RECENT number done in the last few years.

    Secondly, your anti-virus didn't catch these, and I see some of them (Symantec) sheepishly mentioning there's a backdoor that listens on the SSH port for special encrypted commands (looks like NSA work, because NSA would know who sent those commands, it would be in their logs! It would be in GCHQ logs!).
    Either the anti-virus companies didn't catch it (incompetence), or they were complicit in not catching it, or maybe they are one of the backdoors.

    Thirdly, so much for Obama being in control. He's clearly not in charge here, the NSA is busy setting all kinds of illegal agendas and he's not in the loop.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 25th, 2013 @ 8:32am

      Re: Ditch anti-virus software

      Serious question -
      Got a link or two showing where an AV company, like Symantec, has indicated that they will or will not detect government spyware?
      I'd love to read up more.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Mr. Applegate, Nov 25th, 2013 @ 11:34am

      Re: Ditch anti-virus software

      Thirdly, so much for Obama being in control. He's clearly not in charge here, the NSA is busy setting all kinds of illegal agendas and he's not in the loop.
      Um, who says he isn't the one in charge? Him?

      If he truly wasn't "in charge" I would have expected him to be clipping a lot of wings by now, and that isn't happening. He is sitting there say "I didn't know" but he isn't doing a damn thing about it.

      The NSA operates under the jurisdiction of the Department of Defense and reports to the Director of National intelligence.

      The Director of National Intelligence (DNI) is the United States government official subject to the authority, direction, and control of the President required by the Intelligence Reform and Terrorism Prevention Act of 2004 to:
      Serve as principal advisor to the President, the National Security Council, and the Homeland Security Council about intelligence matters related to national security;
      Serve as head of the sixteen-member Intelligence Community; and
      Direct and oversee the National Intelligence Program.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        nasch (profile), Nov 26th, 2013 @ 7:49am

        Re: Re: Ditch anti-virus software

        If he truly wasn't "in charge" I would have expected him to be clipping a lot of wings by now,

        How would he clip wings if he wasn't in charge?

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Mr. Applegate, Nov 26th, 2013 @ 12:44pm

          Re: Re: Re: Ditch anti-virus software

          Well obviously from the chain of command, as I showed above, that puts him in the position to be "In Charge", and therefore able to clip wings.

          If things were happening "without his knowledge" in other words the NSA had gone rouge, then he would start replacing those if charge of keeping the NSA in check. That hasn't happened. Therefore, I conclude one of two possibilities.

          1. He didn't know what is going on, but agrees with it, therefore he will not reprimand anyone.

          2. He knows exactly what is going on and is not being honest with the people.

          The first option seems rather unlikely as I believe part of his campaign was about reining in the spying. Obama has failed the people he is supposed to serve.

          Congress is no better as they have the purse strings and and ability to pass legislation. They too knew, or had a duty to find out what was going on and take the appropriate steps to protect the American people. They have failed the people they are supposed to serve.

          They have all disgraced themselves, their families and in fact all Americans.

           

          reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous, Nov 25th, 2013 @ 4:24pm

      Re: Ditch anti-virus software

      A good firewall would stop it before your antivirus program even notices it.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Anonymous Monkey (profile), Nov 26th, 2013 @ 2:20pm

        Re: Re: Ditch anti-virus software

        Most AV software comes with it's own firewall .. so it defeats the purpose for which you intend it to be, as the AV would whitelist the port that is listening.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 25th, 2013 @ 8:07am

    So the Aussies and Kiwis are to boring to infect?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 25th, 2013 @ 8:24am

      Re:

      That's not it... It's because they are part of Five Eyes just like Canada and England... See at the bottom of the slide.. Each country runs its own domestic program which is clearly not in the scope of this one slide....

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    aldestrawk (profile), Nov 25th, 2013 @ 9:08am

    not a botnet

    Calling the 50,000 networks a botnet is mischaracterizing what is going on here. The NSA only achieves its purpose when infecting a router or switch. This is what gives them access to all the data communicated on the attached network. Recall that with Belgacom the infection of IT staff computers was only an interim step, with the ultimate goal of infecting the GRX routers. A router does not run much of the software which makes botnets so useful to their controllers. The NSA would also not ever risk their surveillance capability by using control of a router for other purposes. If the router was not functioning well or doing very strange things then network IT staff are going to notice it and start investigating. Unless there was a stealthy root-kit (not an impossibility) on the router, the malware will be discovered and removed. The OS for routers has less of an attack surface than standard computer OSs. Even if Linux, or some other variation of UNIX is used then a lot of the capability, and thus attack surface, is disabled.

    Once a router is infected, if a user's computer or server was infected that malware isn't so important anymore. Those, non-router, computers are updated much more frequently than routers or switches. Also, anti-virus software is not installed on routers. The NSA may even remove malware from non-routers to avoid detection. Then again, they may have achieved some very stealthy malware. I think it is less likely that arrangements are made with major AV companies to whitelist NSA malware. A whitelist is visible to too many people.

    This particular leak is going to have an enormous impact on NSA capability. It would behoove any security executive for telecoms, or ISPs around the world to take a close look at their routers.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    FM Hilton, Nov 25th, 2013 @ 9:30am

    And the beast grows

    Supposing this:

    The NSA has a network of Botnets in other countries, then the owners of those infected computers decide to run their own BotNet networks infecting other computers, and then the FBI, and Microsoft go on the hunt for these computers-installing malware to get the botnets captured.

    Could it be true? That the FBI and Microsoft have been doing this all along? Capturing and shutting down BotNet servers that began with the NSA?

    It boggles the mind completely. Total insanity, and that's why the NSA should be shut down.

    They infecting everyone's computers with malware that has to be cleaned up by others. Such nice guys.

    Speaking of legalities, I'm pretty sure this would qualify under several international laws as electronic terrorism, plus our own laws against it.. Ah, gee whiz..the NSA can't do anything right!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jake, Nov 25th, 2013 @ 10:37am

    I count at least two countries who sent troops to fight and die in Afghanistan when the US bit off more than it could chew there.

    This is going to stick in people's memories come the next war.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    ECA (profile), Nov 25th, 2013 @ 2:26pm

    sORRY TO SEE THIS

    NOW consider that WINDOWS is the most populous Operating system out there..
    Lets even think SIDE WAYS, and say its FLASH based..
    HOW about JAVA?
    And since they are all customized to the OS...

    any other reason NOT to use Windows products??
    Windows must HIDe the program very well, also..
    windows SERVER? WINDOWS 7? 8?

    Someone GET me to linux..

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    nasch (profile), Nov 26th, 2013 @ 7:50am

    Headline

    I think the editor needs to take a look at this headline: "NSA Has A 50,000 Computer Botnet From Secretly Installing Malware Around The Globe". The "From" needs to be taken out.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This