Revisiting takedown wins: Are users in the developing world getting left behind?

We have all seen the headlines: another botnet dismantled, and we can all rest easy that the threat that has been plaguing us for all those years is now no longer an issue. After the headlines, however, the hardest task begins – a task that garners no headlines and really typifies the challenge that all of us within the information security industry face.

This challenge focuses on the general public, and remediation activities.

Let’s take the Beebone botnet as an example. Our initial estimates on the number of infections proved to too conservative. In fact, in a 24-hour window, around 36,000 unique infected systems connected to the sinkholed C&C server. These users were lucky, as Beebone is a downloader that, if they had reached the right server, would have downloaded additional malware, such as:

  • Banking password stealers: ZBot, BackDoor-FJW
  • Spambot: Cutwail
  • Downloaders: Upatre, RecSlurp
  • Rootkits: Necurs, ZeroAccess, TDSS
  • Password stealer: Dorkbot
  • Ransomware: Lerspeng
  • IRCBot + DDoSer: SDBot
  • Adware injector: Miuref.

These are certainly things no one wants on their computer. Therefore, we began a process of developing free tools to allow affected users to clean their computer. Similar tools were provided by all of our colleagues from other AV companies, free of charge. In addition, a widespread communications program went into effect, aimed at notifying as many affected users as possible about the fact that these tools were made available to them.

The result? At the time of writing, the number of unique infections in a 24-hour window has fallen to just over 33,000. Perhaps one explanation for that unimpressive drop is that the message is not getting through to affected users located in the countries where the largest number of infections has been noted (Stats courtesy of Shadowserver):


The industry has moved on since the takedown – we have had more than enough new headlines. However, it is important not to simply shrug our shoulders and assume that the issue is now resolved. There are still tens of thousands of people in developing nations that are having their passwords and data stolen. Whilst remediation efforts are certainly producing a positive impact, we must now turn our focus towards those countries and users where the message is clearly getting lost.

I would ask each of you to please think about what connections you may have in those countries, and to help communicate the problem and point to the availability of the free tools. We have often talked about the opportunities that technology can bring, but to ensure that happens for everyone, we have to make certain that no one is left behind.