網路城邦
上一篇 回創作列表 下一篇   字體:
(FBI 5/29/2024) How to Identify and Remove VPN Applications That Contain 911 S5 Back Doors--in 2022 遭遇黑客攻击 then 7/28/2022 永久性关闭 911 S5
2024/06/01 13:13:13瀏覽74|回應0|推薦0
(FBI 5/29/2024) How to Identify and Remove VPN Applications That Contain 911 S5 Back Doors--in 2022 遭遇黑客攻击 then 7/28/2022 永久性关闭 911 S5

https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors
How to Identify and Remove VPN Applications That Contain 911 S5 Back Doors 2 days ago (5/29/2024)

The FBI, the Defense Criminal Investigative Service, and the Department of Commerces Office of Export Enforcement have published a public service announcement (the “PSA”) for individuals and businesses to better understand and guard against the 911 S5 residential proxy service and botnet. The PSA is available at ic3.gov/Media/Y2024/PSA240529.

As explained in the PSA, 911 S5 began operating in May 2014 and was taken offline by the administrator in July 2022 before reconstituting as Cloudrouter in October 2023. 911 S5 was likely the largest residential proxy service and botnet with over 19 million compromised IP addresses in over 190 countries and confirmed victim losses in the billions of dollars.

Free, illegitimate VPN applications that were created to connect to the 911 S5 service are: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.

Unaware of the proxy backdoor, once users downloaded these VPN applications, they unknowingly became a victim of the 911 S5 botnet. The proxy backdoor enabled 911 S5 users to re-route their devices through victims’ devices, allowing criminals to carry out crimes such as bomb threats, financial fraud, identity theft, child exploitation, and initial access brokering. By using a proxy backdoor, criminals made nefarious activity appear as though it was coming from the victims’ devices.

The below information is intended to help identify and remove 911 S5’s VPN applications from devices or machines.

Before electing to use this information, users may want to consult with legal counsel and cybersecurity professionals, potentially including an incident response firm if they deem necessary, to explore all options and assist with any remediation efforts to avoid further harm by malicious software applications or botnets. The FBI makes no warranties or representations regarding the efficacy of this information.
Check for Running Services
1. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows icon) and select the "Task Manager" option.
Press Ctl+Alt+Del on the keyboard and select the aTask Managera option, or right click on the Start Menu (Windows icon) and select the aTask Managera option.

2. Task Manager should now be running. Under the "Process" tab, look for the following:
MaskVPN (mask_svc.exe) DewVPN (dew_svc.exe) PaladinVPN (pldsvc.exe)
ProxyGate (proxygate.exe, cloud.exe) ShieldVPN (shieldsvc.exe) ShineVPN (shsvc.exe)
Example of running processes for ShieldVPN and ShieldVPN Svc:
Task Manager should now be running. Under the Process Tab look for the following: MaskVPN (mask_svc.exe), DewVPN (dew_svc.exe), PaladinVPN (pldsvc.exe), ProxyGate (proxygate.exe, cloud.exe), ShieldVPN (shieldsvc.exe), ShineVPN (shsvc.exe). If no service had been detected through task manager, verify by searching the start menu for any traces of software labeled as MaskVPN, DewVPN, ShieldVPN, PaladinVPN, ProxyGate or ShineVPN.
If Task Manager doesnt detect any of these services, verify that by searching the Start menu for any traces of software labeled as "MaskVPN," "DewVPN," "ShieldVPN," "PaladinVPN," "ProxyGate," or "ShineVPN."

3. Click on the "Start" (Windows Icon) button typically found in the lower lefthand corner of the screen. Then, search for the following terms, which are the identified names of the malicious software applications:
MaskVPN DewVPN ShieldVPN PaladinVPN ShineVPN ProxyGate
Click on the Start (Windows Icon) button typically found in the lower left-hand corner of the screen and search for the following terms, which are the identified names of the malicious software applications: MaskVPN DewVPN ShieldVPN PaladinVPN ShineVPN ProxyGate
Click on the Start (Windows Icon) button typically found in the lower left-hand corner of the screen and search for the following terms, which are the identified names of the malicious software applications: MaskVPN DewVPN ShieldVPN PaladinVPN ShineVPN ProxyGate

4. If one of the VPN applications is found, an uninstaller is sometimes located under the Start menu option of the VPN application. The example image below shows an instance where the uninstall option isnt available.
If one of the VPN applications is found, an uninstaller is sometimes located under the start menu option of the VPN application. The example image below shows an instance where the uninstall option is not available.

5. If the application doesnt contain an uninstall option, then follow the steps below to attempt to uninstall the application:
Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the "Add and Remove Programs" menu.
If the application does not contain an uninstall option, then follow the steps below to attempt to uninstall the application: Click on the Start menu (Windows button) and type aAdd or remove programsa to bring up the Add and Remove programs menu.
Search for the malicious software application names.
An example image below shows the ShieldVPN application found within the “Add or remove programs” application list. Once you find the application in the list, click on the application name and select the “Uninstall” option.
Search for the malicious software application names, an example image below shows the ShieldVPN application found within the aAdd or remove programsa application list. Once you find the application in the list, click on the application name and select the aUninstalla option.
After the application is uninstalled, you can try to verify that the application has been removed by clicking on "Start" (Windows Icon) and typing “File Explorer."
Click on the drive letter “C:”—sometimes labeled as “Windows (C:)”—and navigate to "Program Files(x86)." Then, look for the malicious software application names in the list of files and folders.
Click on the drive letter aC:a (Sometimes labeled as aWindows (C:)a) and navigate to Program Files(x86) and look for the malicious software application names in the list of files and folders. For ProxyGate, navigate to C:\users\[Userprofile]\AppData\Roaming\ProxyGate. If you do not see any folder labeled MaskVPN, DewVPN, ShineVPN, ShieldVPN, PaladinVPN, or Proxyate, then this particular malicious software application may not be installed.

For ProxyGate, navigate to "C:\users\[Userprofile]\AppData\Roaming\ProxyGate."
If you dont see any folder labeled "MaskVPN," "DewVPN," "ShineVPN," "ShieldVPN," "PaladinVPN," or "Proxygate,"
then this particular malicious software application may not be installed.

If a service was found running, but not found under the Start menu or "Add and Remove Programs," then:
Navigate to the directories described in directions 5d and 5e.
Open “Task Manager."
Select the service related to one of the identified malicious software applications running in the process tab.
Select the option “End task” to attempt to stop the process from running.
If a service was found running but not found under start menu or add and remove programs, navigate to the directories described in directions 5d and 5e. Open aTask Managera, select the service related to one of the identified malicious software applications running in the process tab and select the option aEnd taska to attempt to stop the process from running.
Once the processes have been stopped or verified as not running, then right click on the folder named aMaskVPN,a aDewVPN,a aShineVPN,a aShieldVPN,a aPaladinVPN,a or ProxyGate and select the aDeletea option. Additionally, you could select all files found within the folder and then select the aDeletea option.
Right-click on the folder named “MaskVPN,” “DewVPN,” “ShineVPN,” “ShieldVPN,” “PaladinVPN,” or "ProxyGate."
Select the “Delete” option.
You can also select all files found within the folder and then select the “Delete” option.
If you try to delete the folder—or to delete all files located inside the folder—and receive an error message, be sure that youve ended all processes related to the malicious software within in Windows Task Manager, as described in step 5g.

6. Based on the instructions found above, were you able to locate any of the listed files on your computer? Please click this link to select “Yes” or “No." No other information is needed.
--5/31/2024 didnt find any in my HD however MS updated and many my data folders disappeared. the question is how many usa companies related to us who use 911 S5 Back Doors, shouldnt FBI provides a listing? can it related to our personal informations exposed in dark web? most me-type wont have any related or install 911 S5 Back Doors but usa companies such as banks/credit cards, utilitity companies, car insurance, internet provider and cell phone service, clinic/hospital/medicare health insurance, IRS tax and local county property tax those autopay, pay on line.
ps MS, ATT, Amazon... web also selling their products by on line pay.

the criminal(since in 2014) was caught on 5/25/2024 and who he sold to usa criminals? will soon FBI catch bastards in usa, could they already run away thru MS updated and wipped off victims notebook HD left data files evidence ?
ps i really hope if any victim find malicious software applications: DewVPN, MaskVPN, PaladinVPN, ProxyGate, ShieldVPN, ShineVPN in their notebook HD, would post to prove whether those bastards in usa already ran away.

my another curious is if usa government didnt enforce embeded 911 S5 Back Doors, will such diaster can be avoid ?
===========================================
新加坡警方逮捕一操控全球最大僵尸网络犯罪活动主犯
据2024年5月31日联合早报消息,一名35岁中国籍男子被指经营和操控全球最大的恶意软件犯罪网络,导致全球近200个国家的电脑被入侵,诈骗超过数十亿美元,日前在新加坡落网。
这名中国籍公民王云禾(Yunhe Wang),也通过投资成为圣基茨和尼维斯的公民。美国司法部(DOJ)星期三(5月29日)发出文告,指当局连日和多国执法机构合作,包括新加坡警察部队和总检察署,成功在上星期五(24日)逮捕他。
美国司法部说,王云禾被指从2014至2022年7月与他人合作,创造并传播名为“911 S5”的僵尸网络(botnet)到全球多个国家的微软电脑中。他也被指出售网络给其他网络罪犯使用。
“僵尸网络”是指采用一种或多种传播手段,使多台主机同时感染上僵尸程序病毒,这样一来,控制者和受感染的主机之间就可以形成“一台对多台”的控制网络,不法分子可利用这些受他们控制的“僵尸电脑”去对其他伺服器展开更大型的攻击,制造网络阻塞。
--the buyers all are criminals (not 911S5 clients) but purchased botnet (僵尸网络病毒) from 王云禾 company who sold 僵尸网络病毒 and 911S5(住宅代理IP网络) ?
不法分子攻击其他伺服器制造网络阻塞 for what, blackmail ? i still remember years ago tons usa fraud adv emails caused our internet broke then either our internet provider solved or modem/router companies blockaded. but didnt hear 不法分子 got money. also didnt hear catch any usa 不法分子.

早前资讯【2024年5月28日美国财政部制裁911 S5僵尸网络相关的个人和实体上海国际经贸合规法律服务平台 (jmhg.sh.cn)】

涉经营恶意软件 华男狮城被捕将被引渡来美 时间: 2024-05-31 06:58:43 来源: 侨报网综合
编辑: 江塔
【侨报网综合讯】一名中国籍男子近日在新加坡因被指经营“恶意软件犯罪网络”被捕。新加坡方面消息称,他将被引渡到美国受审。
网络攻击示意图。(图片来源:新华社资料图)
综合新加坡《联合早报》31日报道,一名35岁中国籍男子被指经营和操控“全球最大恶意软件犯罪网络”,导致全球近200个国家的电脑被入侵,诈骗超过数十亿美元。男子在新加坡落网后,将被引渡到美国受审。
这名中国公民王云禾(Wang Yunhe),也通过投资成为中美洲加勒比海地区的圣基茨和尼维斯(Saint Kitts and Nevis)的公民。美国司法部29日发出文告,指当局连日和多国执法机构合作,包括新加坡警察部队和总检察署,在24日逮捕王云禾。
新加坡警察部队则表示,由于美国和新加坡签有引渡条约,警方在美国要求下,在王云禾住宅将他逮捕。警方透露,王云禾从2022年起持有本地工作准证,至于他是否有在本地犯下罪行,“由美国主导的调查正在进行中,警方将配合美国的调查”。
美国司法部指王云禾从2014年至2022年7月与他人合作,创造并传播名为“911S5”的僵尸网络(botnet)到全球多个国家的微软电脑中。
--im very curious who are 合作的他人 and knew 911S5 Back Doors so well in usa ?
ps Treasury Sanctions a Cybercrime Network Associated with the 911 S5 Botnet May 28, 2024
--合作的他人 are Jingping Liu, and Yanni Zheng

报道指出,“僵尸网络”是指采用一种或多种传播手段,使多台主机同时感染上僵尸程序病毒,这样一来,控制者和受感染的主机之间就可以形成“一台对多台”的控制网络,操控者可利用这些受他们控制的“僵尸电脑”去制造网络阻塞。
-- after i read "住宅代理IP在网络攻击中的作用 2022-09-15 16:43:42 来源: 埃文科技 河南"
i guess it is similar as VPN (虚拟专用网络) or vip (虚拟IP地址) that clients pay the fee then no one can catch/trace your domain or IP address no matter where you are. so my question is what are 王云禾 company sold 911 S5 service and/or victims real IP address to vip/VPN/911S5 companies or dark web ?
how about usa who selling 911S5-like and VPN/VIP ? what the difference between them ? how about those buyers ? did FBI ever catch usa 王云禾-like criminals and can search in FBI website as (https://home.treasury.gov/news/press-releases/jy2375#:~:text=Cybercriminals%20covet%20stolen%20residential%20IP%20addresses%20to%20obfuscate,their%20originating%20location%2C%20effectively%20defeating%20fraud%20detection%20systems.)?

Who Is Wang Yunhe? Chinese National Arrested In Singapore for Running International Cybercrime Botnet By Samhati Bhattacharjya May 31, 2024 21:54 +08
Hacker
Chinese national arrested in S’pore for creating malware that allowed criminals to steal billions Pexels
Singapore Police Force (SPF) has arrested a 35-year-old Chinese national in an international operation on charges of creating and using malware that was used in cyberattacks, large-scale fraud and child exploitation.
--剥削

The SPF confirmed that Wang Yunhe was arrested on May 24 from his Singapore home for his suspected involvement in cybercriminal activities in the United States.
On Thursday, SPF told CNA that the arrest was followed by an extradition request from the United States. The US has an extradition treaty with Singapore.
--引渡
Search Warrants Executed in Singapore and Thailand

According to the US officials, Wang ran a major botnet for nearly a decade. The US Department of Justice (DOJ) quoted FBI Director Christopher Wray as saying on Wednesday that the "911 S5" botnet – a network of malware-infected computers in nearly 200 countries – was likely the worlds largest.
--十年 since in 2014

Reports claimed that this botnet was said to have amassed millions in profits by selling access to these computers to criminals who used them for identity theft, child exploitation and financial fraud including pandemic relief scams.
--积累 大流行 疫情救济骗局

FBIs deputy assistant director for cyber operations, Brett Leatherman, said that search warrants were executed in Singapore and Thailand.
"Created and Disseminated Malware"
The DOJ statement, dated May 29, said that Wang and unnamed others allegedly "created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide". It said, Wang received $99 million from sales of the hijacked proxied IP addresses either in cryptocurrency or fiat currency, within a time frame of 2018 and July 2022.

As per DOJ, cybercriminals who bought access to the infected IP addresses then bypassed financial fraud detection systems and stole "billions of dollars from financial institutions, credit card issuers and federal lending programmes".
This includes fraudulent loss exceeding $5.9 billion from 560,000 fraudulent unemployment insurance claims originating from compromised IP addresses, stated the DOJ.

The indictment says Wang used his illicit gains to purchase 21 properties in the United States, China, Singapore, Thailand, the United Arab Emirates and St Kitts and Nevis, where it said he obtained citizenship through investment.
Wangs Assets Included Luxurious Cars, Watches and More
According to the statement, Wangs assets and properties included expensive sports cars, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets and luxury watches in addition to the properties
Matthew S Axelrod, the assistant secretary for export enforcement at the US Department of Commerces Bureau of Industry and Security, said the crimes alleged against Wang read like they are "ripped from a screenplay".

He added, "A scheme to sell access to millions of malware-infected computers worldwide, enabling criminals over the world to steal billions of dollars, transmit bomb threats and exchange child exploitation materials – then using the schemes nearly US$100 million in profits to buy luxury cars, watches and real estate."
Investigations On
Officials estimated that 560,000 fraudulent unemployment insurance claims originated from compromised IP addresses.
Wang allegedly managed the botnet through 150 dedicated servers, half of them leased from US-based online service providers.
The DOJ said the operation was a multi-agency effort led by law enforcement in the US, Singapore, Thailand and Germany.
On Thursday, the Singapore police said that they and the Attorney-Generals Chambers had been working on the case with the DOJ and the FBI since August 2022. The police said that the investigations, led by the US, are ongoing.

ps https://www.163.com/dy/article/J3F93CCS0511A5GF.html
美国捣毁住宅IP代理团伙911 S5,非法控制超过1900万个IP地址提供VPN服务 2024-05-30 19:38:39 来源: 安全圈 江苏
--i wonder whether usa selling houses individual agents or realtor companies such as zillow were used 911 S5? if i received their emails or visit zillow-type web sites will my notebook infected 911 S5 botnet?

新加坡逮捕35岁中国籍暗网大佬,诈骗超数十亿美金!将被引渡美国!2024-05-31 23:59:29 来源: 新加坡华人圈福建
35岁中国籍男子王云禾 被指经营操控全球最大 恶意软体犯罪网络
--最大恶意软体犯罪网络? i deeply suspect what about ATT etc data breach so many exposed in dark web? never caught one in usa.
导致近200个国家的电脑被入侵 诈骗超过数十亿美元 涉案男子在新加坡落网 将被引渡到美国受审
美国司法部表示 王云禾被指从2014至2022年 经营并传播“911 S5”僵尸程序病毒 侵入全球近200个国家 1900多万个网际协议地址 并出售网络给其他网络罪犯 3年获利至少1亿新币
冠病疫情期间网路罪犯透过网路 针对美国的冠病辅助计划提交虚假申请 导致当局损失超过59亿美元 王云禾利用非法所得 在美国、泰国、中国 阿拉伯联合大公国和新加坡等地购置21个房产 王云禾从2022年起持有新加坡工作证 资产和房产可能被冻结或充公 包括一辆法拉利F8 Spider 联昌银行和花旗银行户头的存款 百达翡丽手表 乌节路安哥烈园的一套公寓单位...

美国财政部制裁了三名中国人和三家泰国公司 ICT茶馆2024-05-29 09:58北京
美国财政部制裁了三名涉入网络犯罪的中国人和三家泰国公司,因他们涉嫌制造炸弹威胁、欺诈性申请新冠援助,造成数十亿美元损失。该网络犯罪团伙破坏受害者计算机,代理互联网连接 据路透社报道,美国财政部制裁了三名中国人和三家泰国公司,原因是他们涉入一个网络犯罪网络,该网络制造炸弹威胁并欺诈性申请新冠相关援助,给政府造成了数十亿美元的损失。
--still cant figure out 欺诈申请新冠相关援助数十亿美元 $1000000000/$3000= 333,333人 ID stolen (ps not sure $2000 500,000人 or $3000 per each, 2 times ie 20亿美元)
how 王云禾 collect the money, how many usa banks accoount ? as far as i remember 新冠援助 was auto paied to tax payer IRS filed bank account no need apply. the only leak was if tax payer family some one died didnt report.

公开资料显示,当地时间5月28日,美国财政部外国资产控制办公室(OFAC)将王云禾、刘京平、 郑燕妮三人列入SDN清单,据称他们与名为911 S5的网络犯罪有关。OFAC还制裁了三家泰国公司——Spicy Code Company Limited、Tulip Biz Pattaya Group Company Limited和Lily Suites Company Limited——由王云禾拥有或控制。
据称911 S5 网络是一种恶意服务,它破坏了受害者的计算机,并允许网络犯罪分子通过这些受感染的计算机代理他们的互联网连接。
--王云禾 is the 911 S5 网络 boss or 王云禾 hacked 911 S5 网络 in 2022 ? spouse told me one of VPN in 巴拿马, so 911 S5 VPN in 新加坡 ?

ps spouse also told me ATT itself also running VPN service. posted in dark web : 7.6 million current ATT clients and 65.4 million former accounts which many me-type didnt count in who never received att data breach alert email. ShinyHunters 出售被盗数据.
ref: 网传 AT&T 泄露 7100 万用户数据, 该公司多次否认 2024-03-18 23:15:58 来源: 麦麦提的菜 河北
数据泄露:ShinyHunters的统治地位继续 2021-02-20 11:06

出售代理 IP、收入 7.16 亿元:被捕 云头条2024-05-30 23:56北京
--that proved 王云河 stole 美国境内的 613841 个 IP 地址 从美国的几家在线服务提供商那里租用76 台 of 全球150 台专用服务器 by 提供免费的 VPN 服务来引诱潜在的受害者安装代理恶意软件

ps confimed with spouse in 2021 or 2022 he did download iTopVPN one month free trial but cancelled as not what he expected. 2024 we were informed that our pesonal info. exposed in dark web on 2022-12-16 06:12:05; thru monitor firefox report which showed usa 5 companies databreach and 83 companies exposed our info. 5 are ClearVoice Surveys, iMenu360, Gravatar, DriveSure, DaniWeb. And 83 are: publicrecordsnow.com, beenverified.com, backgroundcheck.run, centeda.com, clubset.com, councilon.com, ...
--obviously in 2024 FBI already knew who are those companies exposed and who they bought from data brokers(at least 199 data brokers in usa, almost 83 exposed our info. are data brokers too). at least i caught British individual declared she/he paied to get me-type email address and was taught by MS how to hide sender real email address.

Shouldnt FBI force ATT provide the data breach victims listing APP like IRS offered Equifax data breach which in Nov-Dec/2023 found we are in the list and FBI provide those not in the ATT listing but exposed in dark web like me-type (@ameritech.net @att.net @bellsouth.net @sbcglobal.net, @flash.net @nvbell.net @pacbell.net) especially those never receive any data breach company sent alert emails like me-type.

shouldnt FBI investigate whether ATT-Yahoo some one maliciously blockade/stole data breach and other impotant emails sent to me-type victims ?
( 知識學習科學百科 )
回應 推薦文章 列印 加入我的文摘
上一篇 回創作列表 下一篇

引用
引用網址:https://classic-blog.udn.com/article/trackback.jsp?uid=amtrak&aid=180674371