Cybercrime taskforce collects huge botnet scalp on first go

Beebone deboned by the Joint Cybercrime Action Taskforce

botnet

A sophisticated botnet has been neutered by a consortium starring the Dutch National High Tech Crime Unit and the Joint Cybercrime Action Taskforce.

The botnet, known by a number of names, including AAEH and Beebone, was a "polymorphic downloader bot" which installed various forms of malware on victims’ computers.

Like an organic virus, the botnet reproduced modified versions of itself at a furious pace, thus in its own way evolving to avoid anti-virus software and to disable processes which could have been used to shut it down.

Talking to The Register, Raj Samani, Chief Technology Officer at Intel Security, said: "We've observed it issue new variations of itself at least six times a day, usually more often."

"It is called a polymorphic downloader because it constantly issues these different morphs," added Samani "and because it downloads other forms of malware rather than assuming the malware functions itself."

When asked how many samples of the "evolved" computer virus Intel Security had in its zoo, Raj told us there were roughly five million.

Due to its ability to evolve, the botnet was eventually sinkholed, refering to the practice of "registering, suspending or seizing all domain names with which the malware could communicate" and so effectively shutting down its ability to network.

When asked if it was possible for Beebone to return, Raj explained that it wasn't, as sinkholing means all of the potential domains which related to the botnet's current command and control network had been captured.

Researchers are using the captured domains to analyse how many machines had been infected. Previously, using McAfee's telemetry, the researchers had estimated 12,000 machines were displaying symptoms of infection. The Register can reveal that new analytics, derived from attempts to communicate with the sinkholed domains, show more than 30,000 compromised machines, and the number is expected to rise.

The broad consortium of parties involved in the action included the European Cybercrime Centre (EC3) and was co-ordinated by the Joint Cybercrime Action Taskforce (J-CAT) which was only founded last year.

Also contributing were the Dutch High Tech Crime Unit, who were considered the lead investigators, and the FBI in the US, where the majority of infections are believed to have occurred.

Samani also lauded the contribution from fellow private sector actors, including Kaspersky, whose analysis validated their own, and the disinfectant software offered by F-Secure, Symantec and TrendMicro which was hosted on Shadowserver following the malware blocking user access to their site.

Europol's Deputy Director of Operations, Wil van Gemert, who had shut down the RAMNIT botnet in February, said this "successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime".

Data regarding the infections is being distributed to the ISPs and CERTs around the world, in order to inform the victims.

Samani told The Register he was unsure if any arrests would result, as this was primarily a disruption exercise.

F-Secure, Intel Security, Symantec and TrendMicro have released a remedy to clean and restore infected computers' defences. Europol advise, "for those who fear their computer may have been infected," downloading specialist disinfection software.

A list appears here. ®


Biting the hand that feeds IT © 1998–2017