PCs still infected with Andromeda botnet malware, despite takedown

One of the largest botnets was taken out by the authorities last year - but large numbers of PCs remain infected.
Written by Danny Palmer, Senior Writer

Despite being the subject of an international takedown operation last year, traces of the Andromeda botnet can still be found on many PCs. The Andromeda botnet was associated with 80 different malware families and grew so large that it was at one point infecting a million new machines a month, distributing itself via social media, instant messaging, spam emails, exploit kits, and more.

Also: The 6 reasons why we've failed to stop botnets TechRepublic

The operation was finally taken down by the FBI, Europol's European Cybercrime centre (EC3) and others in December last year -- but many PCs are still infected.

"We're continuing to see hits on the Andromeda botnet. What that means is the governments have actually brought down the C&Cs which manage the infrastructure, but on the endpoints, that stuff still hasn't actually been cleaned up," Anthony Giandomenico, senior security strategist at Fortinet told ZDNet.

Fortinet's research suggests that one in ten organisations around the world have machines which contain traces of the Andromeda botnet. Asia and the Middle East are the most likely to be impacted, with the botnet eight times more prevalent in these regions than they are in Europe.

The infected Windows computers can't actually retrieve or carry out commands for the botnet anymore, but still contain traces of the botnet malware.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

A lack of awareness or monitoring of the networks is likely to be the reason the machines roped into the Andromeda botnet still haven't been discovered -- especially if they can no longer cause any specific harm.

Botnets gather computers into a network which can be used for performing DDoS attacks, delivering malware and more.

Fortinet's report points out Smominru as one of the more notable botnet additions of recent times. This cryptocurrency miner has rapidly expanded its network in the first half of the year, helped along by exploiting EternalBlue, the Windows vulnerability which made WannaCry ransomware so potent.

These are 2018's biggest hacks, leaks, and data breaches

Researchers also point to VPNFilter as an example of an innovative new botnet, one which has been developed by a Russian state-sponsored hacking group and targets routers. Such is the threat it poses, the FBI recommended routers should be reset in order to neutralise the botnet.

In order to combat the threat of botnets -- even 'dead' ones like Andromeda, organisations need to be more proactive with their security procedure.

"What these organisations need to do is to define what their incident response processes are. The first simple step is having somebody monitor your firewalls, your intrusion prevention system, look for different types of alerts that are triggering," said Giandomenico.

"That information is going to tell you what machines are triggering on those things, then you can go to those machines and start your cleanup process," he added.


Editorial standards