FBI urging deletion of MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN

Check your devices for the traces of 911 S5, “likely the world’s largest botnet ever” dismantled by the Federal Bureau of Investigation (FBI), and delete the free VPNs used as cybercrime infrastructure. Here’s how to do it.

The 911 S5 was one of the largest residential proxy services and botnets, which collected over 19 million compromised IP addresses in over 190 countries. Confirmed victim losses amounted to billions of dollars, Cybernews has reported.

Despite the takedown of the network and its operators, many devices remain infected with malware that appears as a “free VPN.”

“Free, illegitimate VPNs were packaged within pirated video games and software that victims downloaded on devices or machines. Once the download was complete, the VPN application and proxy backdoor were both installed silently on victims' devices without their consent, unknowingly becoming a victim of the 911 S5 botnet,” the FBI said in an announcement.

The six identified VPN applications that cybercriminals use to route illicit traffic through victims’ devices are MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.

The botnet was used to carry out crimes such as “bomb threats, financial fraud, identity theft, child exploitation, and initial access brokering,” and this activity appeared to be coming from the victims' devices.

How to remove illegitimate VPNs?

In guidance released by the FBI, users are advised to consult legal counsel and cybersecurity professionals, potentially including an incident response firm if deemed necessary. The FBI makes no warranties or representations regarding the effectiveness of this information.

Windows users should first check the Task Manager (it can be opened with a Control+Alt+Delete combination or from the Start menu) for any of these processes:

  • MaskVPN (mask_svc.exe)
  • DewVPN (dew_svc.exe)
  • PaladinVPN (pldsvc.exe)
  • ProxyGate (proxygate.exe, cloud.exe)
  • ShieldVPN (shieldsvc.exe)
  • ShineVPN (shsvc.exe)

Also, verify by searching the Start menu for any traces of software with the same names.

Sometimes, the application contains an uninstaller under the Start menu option.

If the option is not available, then follow these steps:

  • Go to “Add or remove programs” in System settings.
  • Search for the malicious software application names.
  • Once you find the application in the list, click on the application name and select the “Uninstall” option.
  • After the uninstall, double check the app is removed from the Program Files(X86)” folder. To check for the ProxyGate app, navigate to “C:\users\[Userprofile]\AppData\Roaming\ProxyGate.”

If a service still runs in the Task Manager but cannot be found under the Start menu or “Add and Remove Programs,” FBI advises attempting to stop it by selecting the option “End task” and then deleting the folders named “MaskVPN,” “DewVPN,” “ShineVPN,” “ShieldVPN,” “PaladinVPN,” or "ProxyGate."

“You can also select all files found within the folder and then select the “Delete” option,” the advisory reads.

If you receive an error message when trying to delete pesky apps, make sure none of their processes are running in the Task Manager.

You can find the FBI’s full advisory here.

Protect yourself from botnets

Authorities also recommend avoiding untrustworthy websites and ads, downloading free software, such as the VPN applications listed above, and not clicking on pop-up ads from untrusted websites. Interacting with these pages often initiates malware installation on your device.

“Ignore suspicious emails. Phishing emails are one of the top techniques used to infiltrate a device. Be leery of emails that ask you to open an attachment or follow a link,” the FBI said.

Antivirus software can often detect and remove malware before it does any harm. Keep your software updated to ensure it can detect the most recent threats.

The FBI also warns businesses that botnet attacks are designed to exploit vulnerabilities in software. Therefore, it’s crucial to install updates and patches, evaluate security policies, and encourage strong credentials.