Threat researchers from the Montreal division of security vendor Eset combined with colleagues from Microsoft to help the FBI and law enforcement agencies in Europe take down a major botnet last week which has been spreading malware since 2011.
One unnamed person was arrested in Belarus, the Europol police co-operation agency said in a release.
The partners in the operation made the announcement Monday, saying that on Nov. 29 the botnet — known by various security researchers as Andromeda, Gamarue or Wauchos — was associated with 80 malware families. On underground markets it was known as Andromeda. Like many other bots, it is advertised as a crime kit that hackers can purchase.
In the last six months, authorities said, it was detected on or blocked an average of over 1 million machines every month.
“We did see a lot of infections in Canada,” Jean-Ian Boutin, Eset’s lead researcher in Montreal on this effort, “but most of the recent hits we had on our telemetry were in Asia.”
The malware was spread through spam and malware kits, with heavy use of social media. Much of the malware grabbed the credentials of unsuspecting victims as they logged in to various sites. More recently the network was used to distribute other types of malware. “There were different botnets (using the Andromeda family of malware), each with different operators,” Boutin explained.
The kit included a bot-builder, which builds the malware binary that infects computers; a command and control dashboard for managing the bots; and documentation on how to create a botnet.
Headquartered in Slovakia, Eset is a member of Microsoft’s Co-ordinated Malware Eradication project, which brings together a number of cyber security vendors to disrupt malware families and botnets. For this effort, Eset’s team of 12 researchers in Montreal had the goal was to map as many known Andromeda botnets as it could to help law enforcement knock them down. “Our part was on the technical side, analyzing malware samples and extracting useful information,” Boutin said. As it does when gathering threat information on other malware, the Montreal team built a bot to connect to Andromeda’s command and control servers to track the network for a year.
Andromeda was part of the Avalanche malware network which authorities dismantled exactly a year ago. Information gleaned from that operation led to the destruction of the Andromeda botnet.
As part of the most recent effort, the international technology and law enforcement partners took action against servers and domains used to spread the Andromeda malware. Overall, 1,500 domains of the malicious software were sinkholed, meaning traffic was redirected to servers controlled by law enforcement authorities and/or an IT security company. According to Microsoft, during 48 hours of sinkholing approximately 2 million unique Andromeda victim IP addresses from 223 countries were captured.
The Europol statement said police in 15 countries, including Canada, were involved in the take-downs of Avalanche and Andromeda networks. It didn’t specify how police here helped. Private sector agencies that helped included the Shadowserver Foundation, Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, the Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI).
In a statement, Eset said the Andromeda botnet was mostly used to steal credentials from home users, but it also downloaded and installed additional malware onto a system. The secondary malware that compromises victim machines includes mainly Kasidet, which is also known as Neutrino bot, and is used to conduct distributed denial-of-service (DDoS) attacks, and the Kelihos and Lethic spambots, which have been involved in massive junk mail campaigns.
Due to its modularity, Eset said, Andromeda’s functionalities could easily be expanded by purchasable plugins. They included a keylogger ($150) and a form grabber ($250) for capturing data filled out in forms through web browsers; Teamviewer ($250) for remotely controlling a PC or server. Standard parts included a rootkit, which can be used to hide malware’s presence and ultimately ensure its persistence on a compromised system, and code that turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the Internet.
The malware was most commonly spread through social media, instant messaging, removable drives, spam and exploit kits.
It took four years of investigation to bring down the Avalanche network, which had infected machines in 180 countries, a year ago. As a result five persons were arrested and 39 servers were seized. Another 221 servers were put offline through abuse notifications sent to the hosting providers. The Avalanche network was estimated to involve as many as 500,000 infected computers worldwide on a daily basis, Europol said.
At the time police said the operation marked the largest-ever use of sinkholing to combat botnet infrastructures. with over 800 000 domains seized, sinkholed or blocked. In Monday’s press release on the Andromeda botnet, Europol said German sinkhole measures used in the Avalanche case have been extended another year because globally 55 per cent of the computer systems originally infected by that network are still infected today.
Although malware, ransomware and distributed denial of service (DDoS) attacks continue to increase, law enforcement and technology companies continue to try to make a dent in their activities.
In 2015, for example, McAfee helped several global law enforcement agencies dismantle the so-called Beebone botnet that distributed a polymorphic worm known by McAfee as W32/Worm-AAEH. This worm helped download other malware, including ZBot banking password stealers, Necurs and ZeroAccess rootkits, Cutwail spambots, fake antivirus, and ransomware. The same year authorities moved against the Dridex banking botnet.
While Andromeda-related botnets have been silenced, Boutin admits, that the malware is still in the wild and the network could be rebuilt from scratch. “But we know through telemetry that this botnet was composed of millions of (compromised) systems. The fact that we are able to control these botnets is a big disruption for them . . . By disrupting this operation the cost of going back (to business) is higher for them.”