Cybersquad takes down Beebone botnet

The sophisticated botnet's operations have been disrupted in an international law enforcement operation.

Kaspersky Labs

The Beebone botnet, used to deliver multiple malware payloads to compromised machines, has been shut down by US and European forces.

On 8 April, Europol's European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) teamed up with Dutch law enforcement, the FBI and security firms including Intel, Kaspersky and Shadowserver to disrupt the botnet under the Joint Cybercrime Action Taskforce umbrella.

Beebone, also known as AAEH, is a particularly sophisticated botnet which proved difficult to disrupt due to its polymorphic download system.

Over five million samples were taken of the botnet's worm, known as W32/Worm-AAEH. According to Europol, the groups estimate that over 12,000 computers have been compromised by the botnet, but "there is likely to be many more." The greatest numbers of infections were detected in the US, Japan, India and Taiwan, however, infections were detected in a total of 195 countries.

In order to take down Beebone, the teams registered, suspended and seized domain names linked to the botnet, a technique known as sinkholing. By removing these domain names from the command and control (C&C) center's chain, the cybersquad was able to break links which once allowed malware to communicate with the C&C, redirect traffic and download additional malware payloads. While this technique has disrupted the botnet, an antivirus scan is still required in order to scrub devices clean of the infection.

While Beebone is not an especially large threat, Europol calls it a "very sophisticated" one, as it allows "multiple forms of malware to compromise the security of the victims' computers." The botnet is considered state-of-the-art as it updated itself almost 20 times a day and used a pair of programs which continually re-downloaded each other as an insurance policy against removal.

In addition, to prevent the software being detected and removed by antivirus software, the paired malicious programs would be tweaked regularly.

Speaking to The Associated Press, Europol advisor Raj Samani said:

"From a techie's perspective, they made it as difficult as they possibly could for us."

Europol's Deputy Director of Operations, Wil van Gemert said:

"This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime. We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes. Together with the EU Member States and partners around the globe, our aim is to protect people worldwide against these criminal activities."

While sophisticated, the botnet is relatively small in comparison to other, more well-known botnet operations. In February this year, law enforcement took down the Ramnit botnet, which has been operating for at least five years and is estimated to have infected 3.2 million computers worldwide.

Read on: In the world of security