In a move that reflected the level of co-operation between anti-malware forces, Europol's European Cybercrime Centre (EC3), the Joint Cybercrime Action Taskforce (J-CAT), the FBI, the National Cyber Investigative Joint Task Force- International Cyber Crime Coordination Cell (IC4), ShadowServer, Kaspersky and Intel Security all joined forces under the control of the Dutch National High Tech Crime Unit. Brian Honan, of security consultants BH Consulting said the way the takedown was orchestrated was a model for the future. “There was an exceptionally high level of co-operation, something that can be difficult to achieve.”
However, the bot appears to have been more pervasive and damaging than first thought. Initial predictions indicated that about 12,000 PCs had been hit but according to Raj Samani, CTO of Intel Security, the botnet had infected at least 30,000 machines. “We knew that our numbers were conservative but it's a lot more global in nature than we first thought, “he said. And the numbers are set to get worse. “What we will see is an increase as the notifications go out and then we'll start to see the decrease. I'm going to talk about Beebone for the next six months until we start seeing the number go down to zero,” he said.
Samani said the botnet had first been identified by Intel Security, a task that was difficult owing to the complex nature of the bot. “There were two components - Beebone and VSOBus – and they would download iterations of each other,” said Samani. This meant that they could produce large numbers of variants – we identified about five million, he said. “It would take the serial number of your C drive and the username of the user, it did everything it could to avoid detection,” Samani added. “This included sandbox awareness, so it could tell if you were trying to isolate it and recognise if you were trying to connect to an AV company, it would then kill the connection.”
Samani acknowledged the help of Kaspersky and the Shadowserver Foundation in identifying the bot and recognising its effect on PCs globally. “Shadowserver did a great deal: We needed to ensure that we suspended the right domains and Shadowserver helped on that. If we didn't get the right domain the bad guys could go back to do it again.”
Vicente Diaz, principal security researcher with Kaspersky said the Beebone bot was particularly interesting. “It is used as a dropper for the attackers to download additional content to their victims, so it´s a necessary piece for many banking Trojans, fake AVs, cryptos, etc. The malware is polymorphic, making a lot of samples a day and using obfuscation techniques to make it stealthy. Also it has worm-like functionalities, which enable it to spread very fast. Finally, it also uses a dynamic generation algorithm for calling home, which makes it difficult to filter,” he said. Taken together, those factors combined to make the botnet very effective and dangerous, Diaz added.
The other factor that came into play was the attention given to it by the malware creators. According to Brian Honan, because the botnet was regularly changing its own code to avoid detection, this was a long term project by the criminals concerned. “If you're providing updates regularly, you have to pay to get this done. This had to be viewed as a high profit botnet,” he said.
The Beebone takedown – and its aftermath - showed a way forward, said Honan. “This time there was real help in cleaning up the victims, previously takedowns have focused on the takedown and ignored the cleanup. It's good to see some attention being made to the remedy,” he said.