International effort takes down 'Beebone' botnet

A botnet of more than 12,000 computers was taken down on Wednesday through a collaborative effort by various international law enforcement agencies and tech companies.
A botnet of more than 12,000 computers was taken down on Wednesday through a collaborative effort by various international law enforcement agencies and tech companies.

A botnet of more than 12,000 computers was taken down on Wednesday through a collaborative effort by Europol's European Cybercrime Centre (EC3), the Joint Cybercrime Action Taskforce (J-CAT), Dutch authorities and the Federal Bureau of Investigation (FBI).

“Operation Source,” as the groups refer to it, targeted infected computers under the control of W32/Worm-AAEH, which made up the “Beebone” botnet, according to a Europol press release. The polymorphic downloader bot installed various forms of malware on victims' computers and was taken down through sinkholing, or registering, suspending or seizing all domain names with which the malware communicated and redirected its traffic.

“The botnet does not seem the most widespread, however the malware is a very sophisticated one, allowing multiple forms of malware to compromise the security of victims' computers,” the release stated.

More specifically, the worm, also referred to as “Changeup,” has infected more than 100,000 systems since March 2014 and has been identified with more than 5 million unique samples. Its control servers swap out new variants one to six times per day, a report from McAfee indicated, making it difficult to detect. It was first spotted in the wild in mid-2009 and primarily targeted U.S. users.

The worm family's goal was to support further malware downloads that included banking password stealers, rootkits, fake antivirus and ransomware, McAfee said, and it spread across networks, removable drives, and ZIP and RAR archive files.

Beyond that, the worm is able to use encryption, disable tools from terminating it and inject malware into existing processes, along with a host of other features. It also actively blocks connections to security vendor websites.

Because of this, ShadowServer created a webpage that contains local copies of disinfection tools to help users detect and remove the malware.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS