A giant botnet behind one million malware attacks a month just got shut down

An arrest has been made over the Andromeda botnet, following an operation involving the FBI, Europol, and cybersecurity companies.
Written by Danny Palmer, Senior Writer

A major botnet, which incorporated millions of PCs and is associated with over 80 different malware families, has been taken down in an international cyber-operation.

Authorities including the FBI, Europol's European Cybercrime centre (EC3), the Joint Cybercrime Action Task Force, the Luneburg Central Criminal Investigation Inspectorate in Germany, and the European Union's Eurojust agency worked with companies including Microsoft and ESET in order to dismantle the botnet created by the Andromeda malware.

The Andromeda malware family, also known as Gamarue, was created in September 2011 with the purpose of stealing credentials, and downloading and installing additional malware onto infected systems.

A crime-kit sold on the dark web, Gamarue offer high levels of customisation, allowing the user to build and deploy custom plugins. Notable examples of malicious activity distributed using the self-service kit include plugins to steal content entered into web forms, and others that allow attackers to control compromised systems.

The malware grew to be so prolific that it's responsible for infecting over one million systems around the world every month. Gamarue is distributed in all manner of ways, including through social media, instant messaging, spam emails, exploit kits, and more.

Such is the popularity of Gamarue, the infrastructure behind it covered 464 distinct botnets, while its command and control servers covered 1,214 domains and IP addresses.

But on 29 November 2017, the botnet created by Gamarue was dismantled in a joint operation by law enforcement agencies and cybersecurity companies.

See also: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse

Image: iStock

The servers running the malicious network were identified by ESET researchers, who built a bot to communicate with the Gamarue command and control server. Using this, ESET and Microsoft were able to track and identity the C&C servers over the course of 18 months. The information was then used to carry out the takedown of all the domains used by cybercriminals as C&C servers.

German law enforcement worked with the FBI and European authorities on investigations into the botnet, ultimately culminating in its dismantling at the end of November and the arrest of a suspect in Belarus.

"This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale," said Steven Wilson, the head of Europol's European Cybercrime Centre.

"The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us."

A sink-holing operation has been deployed against over a thousand domains used by the malicious software, resulting in two million Andromeda victim IP addresses from 223 countries being identified.

The sink-holing measures have been extended for at least another year, as authorities say 55 percent of systems infected by Avalanche are still infected today.

Gamarue was also used as part of the malicious Avalanche network, which was dismantled almost exactly one year ago in an international operation.

Recent and related coverage

This ransomware-spreading botnet will now screengrab your desktop too

New payload bundled within Necurs botnet attacks allows those carrying out malicious campaigns to check if they're working and improve updates.

Big bad botnets: 9 things to know

Do you keep hearing about botnets but still don't know what they are or how big and bad they can be? Then watch this 60-second breakdown.


Editorial standards