Global law enforcement operation decimates giant Andromeda botnet

News by Bradley Barth

An international contingent of law-enforcement agencies on Friday dismantled the massive Andromeda malware botnet, sinkholing around 1,500 malicious domains and arresting a suspect in Belarus.

An international contingent of law-enforcement agencies on Friday dismantled the massive Andromeda malware botnet, sinkholing around 1,500 malicious domains and arresting a suspect in Belarus.

The 29 November operation resulted in the identification and capture of roughly two million unique victim IP addresses in 223 countries, according to a press release from Europol, whose European Cyber-crime Centre (EC3) helped execute the takedown alongside the FBI, Germany's Luneburg Central Criminal Investigation Inspectorate, the Joint Cyber-crime Action Task Force (J-CAT) and Eurojust.

The agencies also received substantial assistance from various private-sector partners, including Microsoft Corporation and ESET, which provided key research into Andromeda.

Developed in September 2011, Andromeda, aka Gamarue or Wauchos, is known for stealing credentials from victims as well as downloading and installing up to 80 different secondary malware programs onto users' systems, including spam bots. Over the last half-year, it has been detected or blocked on an average of more than a million machines per month, Europol added.

It has also been linked to the Avalanche cyber-criminal network, whose infrastructure was dissolved one year ago on 30 November 2016 by many of the same law-enforcement agencies involved in this latest operation. In fact, the 2016 takedown of Avalanche revealed new insights into Andromeda that ultimately enabled last week's operation, Europol announced, also noting that the sinkholing of Avalanche assets has been extended for another year because 55 percent of computer systems victimised through Avalanche still remain infected today.

In its own release, ESET described Andromeda as customisable botnet malware – originally sold as a crime kit on the dark web – that allows attackers to create custom plugins that can perform malicious tasks such as controlling compromised systems and stealing content that users type into web forms. Attackers have spread Andromeda malware via social media, instant messaging, removable media, spam, and exploit kits, ESET added.

In the past, Wauchos has been the most detected malware family amongst ESET users,” said Jean-Ian Boutin, senior malware researcher at ESET, in the release. “This particular threat has been around for several years now and it is constantly reinventing itself – which can make it hard to monitor. But... we have been able to keep track of changes in the malware's behaviour and consequently provide actionable data which has proven invaluable in these takedown efforts.”

More specifically, ESET reported that it was able to build its very own bot that could communicate with Andromeda's C&C server, allowing analysts to track the malware's botnet armies over the last year-and-a-half, while also identifying the cyber-criminals' infrastructure and chronicling what programs were installed on infected machines.

“This is another example of international law enforcement working together with industry partners to tackle the most significant cyber-criminals and the dedicated infrastructure they use to distribute malware on a global scale,” said Steven Wilson, head of Europol's European Cyber-crime Centre. “The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.”

In addition to ESET and Microsoft, other private partners included the Shadowserver Foundation; the Registrar of Last Resort; ICANN (and associated domain registries); the Fraudhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI).

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews