Takedown Stops Polymorphic Botnet

By on

Several global law enforcement agencies—with assistance from McAfee —this week successfully dismantled the “Beebone” botnet behind a polymorphic worm known by McAfee as W32/Worm-AAEH. The purpose of this worm is to facilitate downloading other malware, including ZBot banking password stealers, Necurs and ZeroAccess rootkits, Cutwail spambots, fake antivirus, and ransomware. The worm spreads quickly to new machines and contains a cyclic update routine to replace itself with newer versions that increase the likelihood the worm will remain undetected by security software.

McAfee is aware of more than 5 million unique W32/Worm-AAEH samples. In September 2014, McAfee Labs telemetry detected more than 100,000 infections on systems in 195 countries with the majority in the United States. More recently, the number of infected systems McAfee Labs detected dropped to 12,000, largely due to our products’ effectiveness in blocking these attacks.

The botnet takedown, known as Operation Source, was led by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT). Most EU member states and law enforcement partners around the world coordinated in the action. The Dutch High Tech Crime Unit led the J-CAT effort. The U.S. Federal Bureau of Investigation provided valuable support.

The J-CAT is an effective multilateral platform established to fight cybercrime. The J-CAT works together on an operational level with public and private entities and academia to identify and mitigate the biggest cyber threats around the world and apprehend the persons responsible for them.

McAfee , along with Kaspersky Lab and Shadowserver, also provided assistance for this takedown. Shadowserver brought technical investigative skills and a rich set of information about the worm and its supporting botnet. More about the worm and botnet can be found in the McAfee Labs report Catch Me If You Can: Antics of a Polymorphic Botnet.

Dismantling the botnet’s communications infrastructure is only part of the response. Infected system remediation is equally important. Evasive steps taken by the botnet made this particularly difficult. The botnet not only changes the worm’s fingerprint many times every day, but it also actively blocks connections to security vendor websites (including mcafee.com). This is illustrated in the following image:

Poly botnet 2

Because W32/Worm-AAEH blocks connections to security software providers, those infected may have difficulty following links to download removal tools. To overcome that hurdle, the team at Shadowserver, whose support was critical to this operation, has made a webpage available from which these tools can be directly downloaded. McAfee customers can find a removal tool at http://www.mcafee.com/us/downloads/free-tools/stinger.aspx.

At McAfee, we believe in public-private partnerships. This operation is further evidence that only a combined response is capable of slowing down the ever-growing menace of cybercrime.

Categories: McAfee Labs
Tags: , , ,

Leave a Comment

Similar articles

Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims. Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can ...
Read Blog
This post was written with contributions from the McAfee Advanced Threat Research team.   The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download ...
Read Blog
Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a ...
Read Blog