Someone Is Uninstalling Malware and Telling Users to Add Antivirus Software

It appears that someone has hijacked the infrastructure of the Phorpiex (Trik) botnet to uninstall the spambot malware from infected devices. A pop-up is then displayed warning the user to update their computer and install an antivirus program to prevent further hacks. 

The pop-ups recently started appearing, and people are taking notice, including the antivirus team at Check Point. 

Nobody Knows Who Is the Unsung Hero Taking Down Phorpiex

Some people believed that it was just a prank added to the code of the malware by the Phorpiex team to troll security researchers. As time went on, it soon became clear that it was happening in the real world to real people and individuals. It wasn’t just something that appeared in the virtual machines used by researchers to analyze viruses and malware. 

There are a few different theories behind what is happening. It could be possible that the malware operators have closed shop and are bowing out on their own terms, it could be something done by law enforcement, it could be a vigilante hacker, or it could even be a rival criminal gang sabotaging Phorpiex. 

The most likely theory is that someone has hijacked the botnet. Phorpiex has made quite a few enemies in the botnet world, so the idea that someone has hijacked their network and is uninstalling their botnet isn’t too farfetched. 

The team behind Phorpiex – which has been active for over a decade – are known to be lazy and careless. This isn’t the first time that their botnet has been breached. It also happened back in 2018 when a developer left the command and control backend servers for the botnet exposed on the internet. Security researchers were able to get in and retrieve a list of 43.5 million email addresses that Phorpiex were targeting with their spam emails. 

Phorpiex is among the most active spam email botnets around. The team infects Windows computers and use them as spambots for their malicious campaigns. The spam campaigns are what keeps the botnet alive. New computers are infected with the malware, but they also send out emails for other cybercrime gangs. That is how Phorpiex makes money. 

Whoever is behind the botnet hijack that told the botnet to shut itself down has dealt a significant blow to Phorpiex, their finances, and their future. To give you an idea of how profitable the botnet was, Check Point reports that it made $115,000 in five months from spamming sextortion emails.