Polymorphic Beebone botnet sinkholed in international police operation

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.

On April 8, a global operation targeted the Beebone (also known as AAEH) botnet, a polymorphic downloader bot which installs various forms of malware on victims’ computers.

Initial figures show that over 12,000 computers have been infected, however it is likely there are many more. The botnet does not seem the most widespread, however the malware is a very sophisticated one, allowing multiple forms of malware to compromise the security of the victims’ computers.

In the operation, led by the Dutch National High Tech Crime Unit, the J-CAT’s Cyber Liaison Officers worked together with Europol officials and representatives from Intel Security, Kaspersky and Shadowserver.

The botnet was sinkholed by registering, suspending or seizing all domain names with which the malware could communicate and traffic was then redirected. Data will be distributed to the ISPs and CERTs around the world, in order to inform the victims.

To illustrate the sophisticated nature of this threat, there are currently over 5 million unique W32/Worm-AAEH samples, with more than 205,000 samples from 23,000 systems in 2013-2014. These systems are spread across more than 195 countries, demonstrating the threat’s global reach. The United States reported the greatest number of infections followed by Japan, India and Taiwan.

Brian Honan, Special Advisor on Internet Security to Europol’s EC3, told Help Net Security: “This is yet another great example of how Europol’s EC3 is enabling effecting cooperation between law enforcement agencies in different jurisdictions in tackling cybercrime strengths. It also shows how effective Europol’s EC3 has been in working with private industry to identify and disrupt the infrastructure criminals rely on. It is also welcoming to see the inclusion of ISPs and CERTs in the clean-up operation post the botnet takedown.”

“While some may criticize that there are no arrests related to this takedown it is important to note that disrupting the operations and cash flow of criminal gangs can be an effective tactic. Botnet takedowns also sends a clear message to criminals that they are not invulnerable and that law enforcement are increasingly developing their capabilities in this area to detect, disrupt, and to detain those involved in online crime,” Honan added.

Preventing infection

According to McAfee, although the threat is consistently polymorphic, the core behavior has remained virtually the same, allowing customers to easily prevent infections by taking these precautionary measures: