Security researchers have teamed up with the law enforcement community for another takedown of a malware network.
This time, the target was the Beebone botnet. The effort involved police agencies from all over the world, including Europol and the FBI, as well as private sector partners such as Kaspersky Lab and Intel Security. Dubbed ‘Operation Source’, the takedown sinkholed the botnet by registering, seizing or suspending all the domain names the malware used to communicate and redirecting traffic.
“This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime,” said Europol’s Deputy Director of Operations, Wil van Gemert, in a statement. “We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes. Together with the EU Member States and partners around the globe, our aim is to protect people worldwide against these criminal activities.”
According to Symantec, Beebone first arrived on the scene in 2009. The malware – which is known by a variety of names, including Changeup and W32/Worm-AAEH – is a polymorphic worm, and initially only spread through removable and mapped drives via the Autorun feature in Windows.
“The worm is written in Visual Basic (VB) which on the one hand could be considered a limiting factor as a specific set of skills are required to implement complex behavior in malware programmed in VB; however, the flipside to that is it can also take a lot more time and effort from security researchers when it comes to analysis,” according to Symantec’s Security Response team.
“Changeup first got itself in the spotlight about a year after it first appeared when it began exploiting the Microsoft Windows Shortcut ‘LNK’ Files Automatic File Execution Vulnerability (CVE-2010-2568) to spread,” Symantec continued. “CVE-2010-2568 allowed a computer to become infected if a user merely viewed the contents of a folder which included a malicious .lnk, or shortcut. This was due to Windows failing to properly handle shortcut files, which allowed files to execute automatically when they were viewed. This meant that Changeup didn’t have to just rely on the Autorun feature anymore. The worm would later employ file-sharing applications in its efforts to spread to as many computers as possible.”
The malware works primarily as a downloader, and has been linked to threats such as the Zefarch Trojan and Tidserv. The United States and South Africa are home to the largest percentages of infections, with approximately 11 and 10 percent, respectively, Symantec found.
“Although Changeup activity has been in decline in recent times, our telemetry shows that detections dropped from over 55,000 detections a month at the beginning of 2014 to just under 30,000 a year later,” Symantec reported. “These statistics show why efforts to disrupt a malware delivery network such as this should continue.”
In a joint blog post, Intel Security’s Vincent Weafer and Raj Samani called the takedown the result of close cooperation between everyone involved.
“Of course dismantling the communications infrastructure is only part of the response, with the remediation of infected systems a critical step in the dismantling of a botnet,” Samani and Weafer blogged. “This is made particularly more difficult with the evasive steps taken by the botnet regarding clean-up. Not only were we faced with multiple DGA refreshes (Domain Generation Algorithm), but also the botnet actively blocks connections to Anti-Virus vendor websites (including our own).”
“By spreading the downloader worm known as W32/Worm-AAEH, Beebone facilitated the download of a variety of malware, including ZBot banking password stealers, Necurs and ZeroAccess rootkits, Cutwail Spambots, Fake anti-virus and ransomware,” they added. “W32/Worm-AAEH includes worm-like functionality to spread quickly to new machines, and contains a cyclic update routine to replace itself with newer versions to increase likelihood of remaining undetected by anti-virus software. During its peak in July/August 2014, it updated itself with newer variants up to multiple times a day.”
The operation is just another example of partnerships between the private sector and public sector to disrupt cyber-attackers. Earlier this year, researchers at Microsoft, AnubisNetworks and Symantec worked with law enforcement to deliver a body blow to the Ramnit botnet.