Several global law enforcement agencies—with assistance from McAfee —this week successfully dismantled the “Beebone” botnet behind a polymorphic worm known by McAfee as W32/Worm-AAEH. The purpose of this worm is to facilitate downloading other malware, including ZBot banking password stealers, Necurs and ZeroAccess rootkits, Cutwail spambots, fake antivirus, and ransomware. The worm spreads quickly to new machines and contains a cyclic update routine to replace itself with newer versions that increase the likelihood the worm will remain undetected by security software.
McAfee is aware of more than 5 million unique W32/Worm-AAEH samples. In September 2014, McAfee Labs telemetry detected more than 100,000 infections on systems in 195 countries with the majority in the United States. More recently, the number of infected systems McAfee Labs detected dropped to 12,000, largely due to our products’ effectiveness in blocking these attacks.
The botnet takedown, known as Operation Source, was led by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT). Most EU member states and law enforcement partners around the world coordinated in the action. The Dutch High Tech Crime Unit led the J-CAT effort. The U.S. Federal Bureau of Investigation provided valuable support.
The J-CAT is an effective multilateral platform established to fight cybercrime. The J-CAT works together on an operational level with public and private entities and academia to identify and mitigate the biggest cyber threats around the world and apprehend the persons responsible for them.
McAfee , along with Kaspersky Lab and Shadowserver, also provided assistance for this takedown. Shadowserver brought technical investigative skills and a rich set of information about the worm and its supporting botnet. More about the worm and botnet can be found in the McAfee Labs report Catch Me If You Can: Antics of a Polymorphic Botnet.
Dismantling the botnet’s communications infrastructure is only part of the response. Infected system remediation is equally important. Evasive steps taken by the botnet made this particularly difficult. The botnet not only changes the worm’s fingerprint many times every day, but it also actively blocks connections to security vendor websites (including mcafee.com). This is illustrated in the following image:
Because W32/Worm-AAEH blocks connections to security software providers, those infected may have difficulty following links to download removal tools. To overcome that hurdle, the team at Shadowserver, whose support was critical to this operation, has made a webpage available from which these tools can be directly downloaded. McAfee customers can find a removal tool at https://www.mcafee.com/us/downloads/free-tools/stinger.aspx.
At McAfee, we believe in public-private partnerships. This operation is further evidence that only a combined response is capable of slowing down the ever-growing menace of cybercrime.