Takedown Stops Polymorphic Botnet

By on

Several global law enforcement agencies—with assistance from McAfee —this week successfully dismantled the “Beebone” botnet behind a polymorphic worm known by McAfee as W32/Worm-AAEH. The purpose of this worm is to facilitate downloading other malware, including ZBot banking password stealers, Necurs and ZeroAccess rootkits, Cutwail spambots, fake antivirus, and ransomware. The worm spreads quickly to new machines and contains a cyclic update routine to replace itself with newer versions that increase the likelihood the worm will remain undetected by security software.

McAfee is aware of more than 5 million unique W32/Worm-AAEH samples. In September 2014, McAfee Labs telemetry detected more than 100,000 infections on systems in 195 countries with the majority in the United States. More recently, the number of infected systems McAfee Labs detected dropped to 12,000, largely due to our products’ effectiveness in blocking these attacks.

The botnet takedown, known as Operation Source, was led by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT). Most EU member states and law enforcement partners around the world coordinated in the action. The Dutch High Tech Crime Unit led the J-CAT effort. The U.S. Federal Bureau of Investigation provided valuable support.

The J-CAT is an effective multilateral platform established to fight cybercrime. The J-CAT works together on an operational level with public and private entities and academia to identify and mitigate the biggest cyber threats around the world and apprehend the persons responsible for them.

McAfee , along with Kaspersky Lab and Shadowserver, also provided assistance for this takedown. Shadowserver brought technical investigative skills and a rich set of information about the worm and its supporting botnet. More about the worm and botnet can be found in the McAfee Labs report Catch Me If You Can: Antics of a Polymorphic Botnet.

Dismantling the botnet’s communications infrastructure is only part of the response. Infected system remediation is equally important. Evasive steps taken by the botnet made this particularly difficult. The botnet not only changes the worm’s fingerprint many times every day, but it also actively blocks connections to security vendor websites (including mcafee.com). This is illustrated in the following image:

Poly botnet 2

Because W32/Worm-AAEH blocks connections to security software providers, those infected may have difficulty following links to download removal tools. To overcome that hurdle, the team at Shadowserver, whose support was critical to this operation, has made a webpage available from which these tools can be directly downloaded. McAfee customers can find a removal tool at http://www.mcafee.com/us/downloads/free-tools/stinger.aspx.

At McAfee, we believe in public-private partnerships. This operation is further evidence that only a combined response is capable of slowing down the ever-growing menace of cybercrime.

Categories: McAfee Labs
Tags: , , ,

Leave a Comment

Similar articles

Analytics 101

By on
From today’s smart home applications to autonomous vehicles of the future, the efficiency of automated decision-making is becoming widely embraced. Sci-fi concepts such as “machine learning” and “artificial intelligence” have been realized; however, it is important to understand that these terms are not interchangeable but evolve in complexity and knowledge to drive better decisions. Distinguishing ...
Read Blog
A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim's contact list. What's more, the author of the Cerberus ...
Read Blog
Global messaging giant WhatsApp turned 10 years old this year. It's not unusual for companies to provide loyal customers or members with gifts to show their appreciation during these milestones. Unfortunately, cybercriminals are using this as a ploy to carry out their malicious schemes. According to Forbes, security researchers have discovered a fraudulent message promising ...
Read Blog