So now that we know what the malware looks for to find its update server, what’s to stop ESET or anyone else from redirecting the malware to a different server? One that contains code that disables the malware.
What? you’ve never heard of Charlie Stross?
Rule 34? Halting State? Accelerando? Merchant Pr… never mind
All CS work is Cory Doctorow-adjacent. His blog antipope is most excellent (ware the ban hammer!)
ESET employee here. Not one that worked on this, though.
While it is not unusual to sinkhole IP addresses and hosts involved in the command and control of malware, actually modifying or sending an update to the malware is extremely problematic from a legal point of view due to a variety of issues (computer trespass, hacking laws, jurisdictional issues, etc.), and also from a technical point of view; if you end up breaking someone’s working-but-otherwise-infected system, where does liability reside? For this reason, such actions tend to occur very rarely, since it becomes a multi-nation law enforcement effort that can take months or even years to coordinate.
Not bad, but limiting it to a single Instagram location is an unnecessary weakness.
If I was doing it, I’d have the bots ask Google for the latest Kardashian news stories, and then check the article comments for cryptic control posts. A little improvement of the posting program to match the usual level of Kardashian comment, and you’re off to the races. Wherever the Kardashians are mentioned on the Internet could be a control point. The only way to block it would be to turn off comments for all Kardashian stories, or completely erase any mention of them from the Internet.