International effort takes down ever-changing Beebone botnet
Several global law enforcement agencies—with assistance
from Intel Security—last week successfully dismantled the “Beebone”
botnet behind a polymorphic worm known by Intel Security as
W32/Worm-AAEH.
Intel Security first identified the threat in March
2014 and in September 2014 collected enough data about the threat to
approach international crime agencies for their support and
involvement. Intel Security then worked with Europol’s European
Cybercrime Centre (EC3), the Dutch authorities, the U.S FBI, and other
private sector partners in a collaborative effort to successfully
takedown the cyber threat.
The Beebone botnet, which facilitates the downloading of
other types of malware onto victim’s machines —including banking
password stealers, rootkits, fake antivirus, and ransomware
–was responsible for malware infections of thousands of systems
worldwide, across 195 countries. The malware includes wormlike
functionality to spread quickly to new machines by propagating across
networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive
files. At one of its peaks in 2014, more than 100,000 infections of the
Beebone botnet was detected by the McAfee Labs team. As this figure
included only telemetry from Intel Security, it is suspected this was
likely to be much higher.
Commenting on the operation Raj Samani, Intel Security EMEA CTO said: “Intel
Security, along with a global law enforcement collaboration including
the Dutch High Tech Crime Unit, Europol, and FBI, has successfully
dismantled the polymorphic worm known as W32/Worm-AAEH/Beebone. Intel
Security is aware of more than 5 million unique AAEH samples with more
than 100,000 machines from 200 countries identified. This kind of
takedown could not of happened without the cooperation between police
organisations and private companies like Intel Security.”
Intel Security worked closely with crime authorities and
other security providers to develop tools which lead to the successful
eradication of the botnet threat, which included the takedown of 100
domains.
“This operation is further evidence that only a combined
response is capable of slowing down the every growing menace of
cybercrime. With both public and private agencies working together to
battle the ever-evolving cyber-threat do we have a chance of bringing
them down and making the online world a safer place for all,” concluded
Samani.
Key Points
- Intel Security has played a leading role in Operation Source, a law enforcement action in coordination with Europol, Dutch police, the U.S. FBI, Kaspersky, and Shadowserver to take down a “polymorphic” botnet responsible for infecting tens of thousands of victim systems across 195 countries.
- Beebone is a “polymorphic” botnet, so named because it was capable of periodically updating malware on infected systems with slightly adjusted code. This ability to continuously “morph” its code allowed Beebone to elude some detection methods and spread more than 5 million unique samples.
- Intel’s McAfee Labs identified Beebone in March 2014 and developed an automated monitoring system to identify and mimic communications between the botnet and its hosts. Operation Source leveraged Intel’s intelligence from this monitoring to enable law enforcement, ISP, and CERT partners to successfully suspend or seize all domain names used by the botnet, effectively deactivating its operations.
- Additionally, Intel Security will release a free tool to allow IT administrators and individual users to clean and restore computers infected by Beebone.
- The McAfee Labs team (Raj Samani, Anand Bodke, Abhishek Karnik, Sanchit Karve, and Rick Simon) has released a whitepaper (attached) and blog explaining how they “hacked the hackers” by developing the automated system.
