NSA Has A 50,000 Computer Botnet From Secretly Installing Malware Around The Globe

from the keeping-us-safe...? dept

Over the weekend, the Dutch media operation NRC published yet another Ed Snowden slide, showing how the NSA had infected 50,000 computer networks with malware. The only really new thing here is the number. We already knew the NSA's TAO (Tailored Access Operations) group was infecting computers around the globe using packet injection, via a system it calls "quantum injection", and that it's used these to install malware on key computers inside Belgacom, the Belgian telco giant. However, the latest report basically shows that the NSA has been able to compromise computers and networks in the same manner all around the globe:
As NRC notes, the earlier reports from the Washington Post had estimated about 20,000 successful "implants" in 2008. So it appears that the NSA has more than doubled its malware installations in the past four or five years. Of course, looking at the chart, you can see some interesting tidbits. The blue dots are "Large Cable," which appears to be key fiber optic cable endpoints that they've tapped into. From the description it appears some of those taps are "covert," while others are "cooperative" (thanks, AT&T!). CNE is "Computer Network Exploitation" and you can see that targeted in areas of interest. A bunch in China and India. A lot in the Middle East. A bunch in Russia and then Mexico and South America. Basically, the NSA has access to... just about anything it wants.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: malware, nsa, nsa surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Drew, 25 Nov 2013 @ 3:49am

    I wonder if AV Companies white list it?

    If they do it would only take one hacker to cause freaking pandemonium on a global scale...

    link to this | view in chronology ]

    • identicon
      HerpDerp, 25 Nov 2013 @ 4:25am

      Re:

      Peter Norton has stated previously he was willing to white-list carnivore. Symantec would be a good place to start.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Nov 2013 @ 5:45am

        Re: Re:

        Of course, Peter only sold his business to Symantec, but it wouldn't surprise me in the slightest if they didn't share a common philosophy.

        link to this | view in chronology ]

    • icon
      That One Guy (profile), 25 Nov 2013 @ 4:33am

      Re:

      Hackers? They're not the big worry, the big problem with the NSA infecting as many important networks/computers as they can is 'What happens if the public and government turns against them, demand they step down and are prosecuted for their actions, and they don't feel like going quietly?'

      With so many compromised systems, they are in a position to make things very ugly to any government or group that challenges them, and given their actions so far, I wouldn't put it past them at all, to if not perform such an action, at least hint at it to discourage any potential opposition.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Nov 2013 @ 6:22am

      Re:

      I wouldn't be surprised to find that AV companies are cooperating with the NSA to actually infect machines.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Nov 2013 @ 2:14pm

        Re: Re:

        Why even bother with infecting a machine with malware when the AV scanner is already installed? It will work just fine as a trojan by itself.
        Checked the EULA coming with your AV package lately? Have a look under the header "Privacy" or something similar. You'll find that they have essentially given themselves the right to send just about anything off your system to their databases. Files, programs, personally identifiable information, MAC addresses, IP number - everything.
        How many other US companies besides Apple, Google, Microsoft, Verizon, etc were listed in Snowdens documents? 100+ that weren't named IIRC. Want to bet some money there are a few AV companies involved? I wouldn't.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Nov 2013 @ 3:51pm

          Re: Re: Re:

          Speaking of Microsoft, in the past Microsoft has built an NSA key directly into Windows. Google windows nsa key.

          link to this | view in chronology ]

    • icon
      John Fenderson (profile), 25 Nov 2013 @ 7:51am

      Re:

      it would only take one hacker


      The NSA is a black-hat hacker.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Nov 2013 @ 7:54am

      Re:

      How would the AV respond to the infection.

      "3 infected files found to be infected with the NSA Botnet Spyware. Please contact the NSA for removal instructions"

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2013 @ 4:15am

    So can we get some arrests made under the various computing fraud acts they must have violated?

    Oh and the title needs some love.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2013 @ 4:21am

    Snail mail and filing cabinets full of paper are about to make a comeback, at least for anything that people wish to keep secret from governments.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Nov 2013 @ 4:30am

      Re:

      I'm sure they have teams of people armed with kettles waiting to open up your mail enroute!

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Nov 2013 @ 4:44am

        Re: Re:

        Waterproof glue is available, or heat sealed plastic bags.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Nov 2013 @ 5:04am

          Re: Re: Re:

          PGP is probably safer.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 25 Nov 2013 @ 5:58am

            Re: Re: Re: Re:

            A one time pad is unbreakable even in theory, and can be used by hand. It remains secure so long as the keys are kept secure, and exchanged in a secure fashion.

            link to this | view in chronology ]

    • identicon
      HerpDerp, 25 Nov 2013 @ 4:30am

      Re:

      This and one time pad solutions, not matter how wearisome they may be.

      link to this | view in chronology ]

    • identicon
      The Real Michael, 25 Nov 2013 @ 6:48am

      Re:

      I do miss the days of the 56k modem.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Nov 2013 @ 6:53am

        Re: Re:

        Apparently Fidonet is still in use in some of the remote parts of the world.

        link to this | view in chronology ]

        • identicon
          The Real Michael, 25 Nov 2013 @ 8:49am

          Re: Re: Re:

          To clarify, I meant the times, the atmosphere, not merely the internet speed. More free, less intrusive. It was new and fun. People didn't have to worry about ham-fisted, draconian rules and regulations, take-down notices and lawsuits. It was awesome.

          I think around a little after 9/11 is when things began to go downhill.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 25 Nov 2013 @ 11:07am

            Re: Re: Re: Re:

            No, things began to go downhill after the Napster lawsuit.

            link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2013 @ 4:53am

    "The botnet population is huge. According to a study by McAfee, "at least 12 million computers around the world (are) compromised by botnets."

    I did not think 50,000 seemed like a very big botnet.

    NSA needs to lift their game, I am sure Anonymous could easy do better than 50k bots !!!!

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Nov 2013 @ 4:58am

      Re:

      Read beyond the title, 50k NETWORKS infected, that's substantially more than 50k computers.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Nov 2013 @ 5:06am

        Re: Re:

        that's why they call them "botNETS" !!!

        link to this | view in chronology ]

      • identicon
        Alt0, 25 Nov 2013 @ 9:20am

        Re: Re:

        Title says:
        "NSA Has A 50,000 Computer Botnet From Secretly Installing Malware Around The Globe"

        and they call it a BOTnet because IT is a network of BOTS

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2013 @ 4:58am

    interesting !!!

    10 most wanted American botnets..

    No. 1: Zeus
    Compromised U.S. computers: 3.6 million

    No. 2: Koobface
    Compromised U.S. computers: 2.9 million

    No. 3: TidServ
    Compromised U.S. computers: 1.5 million
    .
    .
    .
    No. 10: Conficker
    Compromised U.S. computers: 210,000


    Again, I find it hard to get all excited that NSA has a 50k botnet, and would have expected better from them..

    link to this | view in chronology ]

    • icon
      silverscarcat (profile), 25 Nov 2013 @ 5:03am

      Re: interesting !!!

      50 K NETWORKS

      Not computers

      Network > Computer

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Nov 2013 @ 5:15am

      Re: interesting !!!

      The NSA compromised machines are not a bot net, but rather machines that are individually accessed to find files of interest, gain access to metadata etc. Use of these machines will require thousands of NSA employees to give the interesting ones the individual attention they need.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Nov 2013 @ 5:43am

      Re: interesting !!!

      The only thing that gets darryl excited is suing dead grandmothers so he can fuck their corpses with DMCA notices.

      link to this | view in chronology ]

    • identicon
      Rain Day, 25 Nov 2013 @ 1:44pm

      These all only infect WINDOWS!

      Stop using Windows, for the love of Pete, just STOP Using Windows. Why is it that no one ever points out the obvious problem: It's Windows, ALL VERSIONS, so stop using it.

      Seriously, just say no to Windows.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2013 @ 7:10am

    This is just simply terrifying.
    If they want to convince people that they're the good guys, they need to stop acting like supervillains.

    link to this | view in chronology ]

  • identicon
    united hackers association says fook you, 25 Nov 2013 @ 7:14am

    and yes i have proof

    but your not seeing it

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2013 @ 7:23am

    But. Terrorism.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2013 @ 7:48am

    What a waste of taxpayer money

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2013 @ 7:52am

    Ditch anti-virus software

    Firstly, their infections would be noticed and removed, and computers are continuously upgraded so the 50000 would be the current count of how many servers they seized control of, minus how many they lost control of.
    So 50000 is likely to be the current RECENT number done in the last few years.

    Secondly, your anti-virus didn't catch these, and I see some of them (Symantec) sheepishly mentioning there's a backdoor that listens on the SSH port for special encrypted commands (looks like NSA work, because NSA would know who sent those commands, it would be in their logs! It would be in GCHQ logs!).
    Either the anti-virus companies didn't catch it (incompetence), or they were complicit in not catching it, or maybe they are one of the backdoors.

    Thirdly, so much for Obama being in control. He's clearly not in charge here, the NSA is busy setting all kinds of illegal agendas and he's not in the loop.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Nov 2013 @ 8:32am

      Re: Ditch anti-virus software

      Serious question -
      Got a link or two showing where an AV company, like Symantec, has indicated that they will or will not detect government spyware?
      I'd love to read up more.

      link to this | view in chronology ]

    • identicon
      Mr. Applegate, 25 Nov 2013 @ 11:34am

      Re: Ditch anti-virus software

      Thirdly, so much for Obama being in control. He's clearly not in charge here, the NSA is busy setting all kinds of illegal agendas and he's not in the loop.
      Um, who says he isn't the one in charge? Him?

      If he truly wasn't "in charge" I would have expected him to be clipping a lot of wings by now, and that isn't happening. He is sitting there say "I didn't know" but he isn't doing a damn thing about it.

      The NSA operates under the jurisdiction of the Department of Defense and reports to the Director of National intelligence.

      The Director of National Intelligence (DNI) is the United States government official – subject to the authority, direction, and control of the President – required by the Intelligence Reform and Terrorism Prevention Act of 2004 to:
      Serve as principal advisor to the President, the National Security Council, and the Homeland Security Council about intelligence matters related to national security;
      Serve as head of the sixteen-member Intelligence Community; and
      Direct and oversee the National Intelligence Program.

      link to this | view in chronology ]

      • icon
        nasch (profile), 26 Nov 2013 @ 7:49am

        Re: Re: Ditch anti-virus software

        If he truly wasn't "in charge" I would have expected him to be clipping a lot of wings by now,

        How would he clip wings if he wasn't in charge?

        link to this | view in chronology ]

        • identicon
          Mr. Applegate, 26 Nov 2013 @ 12:44pm

          Re: Re: Re: Ditch anti-virus software

          Well obviously from the chain of command, as I showed above, that puts him in the position to be "In Charge", and therefore able to clip wings.

          If things were happening "without his knowledge" in other words the NSA had gone rouge, then he would start replacing those if charge of keeping the NSA in check. That hasn't happened. Therefore, I conclude one of two possibilities.

          1. He didn't know what is going on, but agrees with it, therefore he will not reprimand anyone.

          2. He knows exactly what is going on and is not being honest with the people.

          The first option seems rather unlikely as I believe part of his campaign was about reining in the spying. Obama has failed the people he is supposed to serve.

          Congress is no better as they have the purse strings and and ability to pass legislation. They too knew, or had a duty to find out what was going on and take the appropriate steps to protect the American people. They have failed the people they are supposed to serve.

          They have all disgraced themselves, their families and in fact all Americans.

          link to this | view in chronology ]

    • identicon
      Anonymous, 25 Nov 2013 @ 4:24pm

      Re: Ditch anti-virus software

      A good firewall would stop it before your antivirus program even notices it.

      link to this | view in chronology ]

      • icon
        Anonymous Monkey (profile), 26 Nov 2013 @ 2:20pm

        Re: Re: Ditch anti-virus software

        Most AV software comes with it's own firewall .. so it defeats the purpose for which you intend it to be, as the AV would whitelist the port that is listening.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2013 @ 8:07am

    So the Aussies and Kiwis are to boring to infect?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Nov 2013 @ 8:24am

      Re:

      That's not it... It's because they are part of Five Eyes just like Canada and England... See at the bottom of the slide.. Each country runs its own domestic program which is clearly not in the scope of this one slide....

      link to this | view in chronology ]

  • icon
    aldestrawk (profile), 25 Nov 2013 @ 9:08am

    not a botnet

    Calling the 50,000 networks a botnet is mischaracterizing what is going on here. The NSA only achieves its purpose when infecting a router or switch. This is what gives them access to all the data communicated on the attached network. Recall that with Belgacom the infection of IT staff computers was only an interim step, with the ultimate goal of infecting the GRX routers. A router does not run much of the software which makes botnets so useful to their controllers. The NSA would also not ever risk their surveillance capability by using control of a router for other purposes. If the router was not functioning well or doing very strange things then network IT staff are going to notice it and start investigating. Unless there was a stealthy root-kit (not an impossibility) on the router, the malware will be discovered and removed. The OS for routers has less of an attack surface than standard computer OSs. Even if Linux, or some other variation of UNIX is used then a lot of the capability, and thus attack surface, is disabled.

    Once a router is infected, if a user's computer or server was infected that malware isn't so important anymore. Those, non-router, computers are updated much more frequently than routers or switches. Also, anti-virus software is not installed on routers. The NSA may even remove malware from non-routers to avoid detection. Then again, they may have achieved some very stealthy malware. I think it is less likely that arrangements are made with major AV companies to whitelist NSA malware. A whitelist is visible to too many people.

    This particular leak is going to have an enormous impact on NSA capability. It would behoove any security executive for telecoms, or ISPs around the world to take a close look at their routers.

    link to this | view in chronology ]

  • identicon
    FM Hilton, 25 Nov 2013 @ 9:30am

    And the beast grows

    Supposing this:

    The NSA has a network of Botnets in other countries, then the owners of those infected computers decide to run their own BotNet networks infecting other computers, and then the FBI, and Microsoft go on the hunt for these computers-installing malware to get the botnets captured.

    Could it be true? That the FBI and Microsoft have been doing this all along? Capturing and shutting down BotNet servers that began with the NSA?

    It boggles the mind completely. Total insanity, and that's why the NSA should be shut down.

    They infecting everyone's computers with malware that has to be cleaned up by others. Such nice guys.

    Speaking of legalities, I'm pretty sure this would qualify under several international laws as electronic terrorism, plus our own laws against it.. Ah, gee whiz..the NSA can't do anything right!

    link to this | view in chronology ]

  • identicon
    Jake, 25 Nov 2013 @ 10:37am

    I count at least two countries who sent troops to fight and die in Afghanistan when the US bit off more than it could chew there.

    This is going to stick in people's memories come the next war.

    link to this | view in chronology ]

  • icon
    ECA (profile), 25 Nov 2013 @ 2:26pm

    sORRY TO SEE THIS

    NOW consider that WINDOWS is the most populous Operating system out there..
    Lets even think SIDE WAYS, and say its FLASH based..
    HOW about JAVA?
    And since they are all customized to the OS...

    any other reason NOT to use Windows products??
    Windows must HIDe the program very well, also..
    windows SERVER? WINDOWS 7? 8?

    Someone GET me to linux..

    link to this | view in chronology ]

    • identicon
      Anonymous, 25 Nov 2013 @ 4:26pm

      Re: sORRY TO SEE THIS

      How about Java? It's disabled on my computer, along with Javascript and Active X.

      link to this | view in chronology ]

  • icon
    nasch (profile), 26 Nov 2013 @ 7:50am

    Headline

    I think the editor needs to take a look at this headline: "NSA Has A 50,000 Computer Botnet From Secretly Installing Malware Around The Globe". The "From" needs to be taken out.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.