According to a joint announcement by authorities, the 911 S5 botnet began operating in May 2014 and was taken down in July 2022 before being “reborn” under the name Cloudrouter in October 2023.
911 S5 may be the world's largest botnet and residential proxy service with over 19 million compromised IP addresses in over 190 countries, causing billions of dollars in damage.
Authorities identified free, illegal VPN apps that were created to connect to 911 S5's service, including: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.
When users download these VPN apps, they unwittingly become victims of the 911 S5 botnet. These proxy backdoors allow criminals to commit crimes such as bomb threats, financial fraud, identity theft, child exploitation, etc. By using the proxy backdoors, the illegal activities appear to originate from the victim's device.
To know if you are a victim of the 911 S5 botnet, readers can follow the FBI's instructions below.
1. Press Control + Alt + Delete on the keyboard and select Task Manager or right-click on the Start menu and select Task Manager.
2. Once Task Manager has launched, under the Processes tab, look for: MaskVPN (mask_svc.exe), DewVPN (dew_svc.exe), PaladinVPN (pldsvc.exe), ProxyGate (proxygate.exe, cloud.exe), ShieldVPN (shieldsvc.exe), ShineVPN (shsvc.exe).
If Task Manager doesn't detect one of the above services, check by looking in the Start menu for any traces of software labeled “MaskVPN," "DewVPN," "ShieldVPN," "PaladinVPN," "ProxyGate," or "ShineVPN.”
3. Click the Start button in the bottom left corner of the screen, then search for the following names: MaskVPN, DewVPN, ShieldVPN, PaladinVPN, ShineVPN, ProxyGate.
4. If you detect one of the VPN apps, you can find the uninstall tool located below. Click Uninstall.
5. If the app does not have an uninstall option, follow these steps:
a. Click the Start menu and type “Add or remove programs” to open the “Add and remove programs” menu.
b. Find the name of the malicious application. Once found, click on the application name and select Uninstall.
c. You can then verify by clicking Start, typing File Explorer.
d. Click on drive C and select Program Files(x86). Here, find the name of the malicious application in the list of files and folders listed.
e. With ProxyGate, go to "C:\users\[Userprofile]\AppData\Roaming\ProxyGate”.
f. If you don't see any folders labeled "MaskVPN," "DewVPN," "ShineVPN," "ShieldVPN," "PaladinVPN," or "Proxygate," these apps may not be installed.
g. If a service is detected as running but is not found in the Start menu or Add and remove programs:
Go to the directory described in 5d and 5e.
Open Task Manager.
Select the service related to one of the malicious VPN applications running in the process tab.
Select End task to stop the application. Then, right-click on the folder named “MaskVPN,” “DewVPN,” “ShineVPN,” “ShieldVPN,” “PaladinVPN,” or "ProxyGate” and select Delete. You can also select all the files in the folder and select Delete.
If you see an error message when trying to delete the folder or all the files in the folder, make sure you have terminated all processes in Windows Task Manager as described in step 5g.
(According to FBI)
Source: https://vietnamnet.vn/fbi-huong-dan-go-bo-ung-dung-vpn-cua-mang-botnet-vua-bi-danh-sap-2286974.html
Comment (0)