Unplugging PlugX : Sinkholing the PlugX USB worm botnet
In March 2023, Sophos published an article entitled “A border-hopping PlugX USB worm takes its act on the road” putting the light on a PlugX variant with worming capabilities. According to the Sophos blogspot, all of these PlugX samples communicate to only one IP address. In September 2023, we managed to take ownership of this IP address to sinkhole that botnet.
Hundreds of thousands of unique IP addresses sent PlugX distinctive requests to our sinkhole server in the first weeks of sinkholing. Even if the botnet can be considered as “dead”, anyone with interception capabilities or taking the ownership of this server can send arbitrary commands to the infected computers, repurposing the botnet for malicious activities.
This presentation aims to explain the roots of this campaign, our sinkholing methodology, the PlugX internals with some reversing and the legal issues of disinfection leading us to think about the sovereign disinfection concept.