After two years of intense research, international public and private effort finally took down the notorious Andromeda botnet network on November 29th. Andromeda was one of the biggest botnets out there, used to distribute malware and steal information from infected systems. A joint effort between the FBI, Europol’s European Cybercrime centre (EC3), several other international cybercrime task forces, Microsoft, and ESET finally thwarted the malicious network that has been active for years. Albeit some of the systems affected by Andromeda are still infected, security experts note that this campaign is a good example how public and private cooperation can make the Internet a safer place for everyone.
What is Andromeda Botnet?
Andromeda, also known as Gamarue or Wauchos, is a group of Trojan infections that are tied together in one network. It works on various Windows platforms, from Windows 2000 to Windows 7. Although the network itself is not considered destructive, over the years, it was used to distribute a lot of malicious infections, some of which caused a lot of damage to the infected systems. For instance, ransomware infections like Petya and Cerber were also distributed via Andromeda botnet.
The botnet was first spotted in 2011, and it has been rampant ever since. One feature that is common to all versions of this botnet is that the malware can check whether it has been executed in a virtual environment. It means that it “knows” whether someone is trying to test it or detect it, and it will try to avoid that. Hence, the best way to take down Andromeda botnet was to tackle it in the wild, and that is exactly what Microsoft and ESET did.
It is important to point out that the botnet was not used solely by its authors. On the contrary: There were a lot of different cyber criminals using Andromeda to distribute malware and steal information. With so many local command and control centers around, it was a lot hard to coordinate the shutdown. The reason Andromeda was so prevalent was that the botnet kit could be purchased on the dark net. According to law enforcement authorities in Belarus, Andromeda was sold for $500USD for each kit, plus additional $10USD for updates.
What’s more, Microsoft suggests that the creators would sell a keylogger associated with the network for $150USD apiece, and then one could get additional modules for stealing data that was submitted through forms via a web browser for another $250USD. This was clearly a lucrative business, and research shows that Andromeda botnet employed a wide range of distribution methods. To reach target systems, criminals used social media, spam email campaigns, messaging apps, exploit kids, and so on. And once the system was infected, the malware was used to steal credentials and install additional malware.
Andromeda Botnet: Part of the Avalanche network
The shutdown of this malicious botnet does not come out of nowhere. As mentioned, the campaign to take it down started two years ago, when Microsoft began working on it in December 2015. Microsoft began working on analyzing the Gamarue malware network, partnering with the Slovak security firm ESET. Although it may seem that two years is quite long time, we would like to point out a precedent that obviously helped the private companies and law enforcement authorities to tackled Andromeda.
Back in November 2016, another notorious network was taken down. It was the so-called Avalanche network that was used as malware delivery platform. Cyber criminals used it to launch and manage global attacks. It was also employed for money mule recruitment campaigns when criminals looked for people to transfer illegally acquired money. Money mules are often employed for online fraud, so it is no surprise that Avalanche and similar networks are used to recruit them. The point is that it took four years of investigation to take down Avalanche, and the insights that the researchers gained during this campaign eventually helped them take down Andromeda, too.
How big was Andromeda?
It is one thing to talk about big botnets, but it is another thing to see their scope expressed in numbers. As mentioned, Andromeda infection could not be tested in a virtual environment, so it took Microsoft and ESET 18 months to identify and analyze its command and control communication. According to news reports, ESET eventually identified the servers that were running the botnet, and this allowed the security forces to initiate the so-called sink-holing technique, where information from infected computers was rerouted to safe police servers. This allowed the law enforcement authorities to gather more information about the infection and its scope.
It was known already that Andromeda botnet was responsible for over 80 types of infections, and that the network would infect over a million systems every single month. On top of that, when the sink-holing was initiated, researchers have found more than 2 million infected IP addresses from 223 countries in 48 hours. Also, 44,000 malware sample analysis has lead researchers to 464 separate botnets, all connected to one big network. Not to mention that the command and control servers used by the botnet covered 1,214 domains and IP addresses.
Does this mean that Andromeda was eradicated completely? Hardly. Perhaps the main sources of the infection have been tackled, but security researchers say that at least 55% of the systems infected by Andromeda and the associated Avalanche network are still operational. It is very unlikely that the owners of those systems would know of the infection or take any kind of action. After all, Trojan infections are stealthy, and it is not that easy to notice them.
Who is responsible for Andromeda?
According to various news outlets, this massive crackdown was also followed by arrests in Belarus. A citizen of Belarus was arrested as the main suspect in the entire Andromeda scam for selling malicious software. That software in question was used to administrate the Andromeda network.
Although law enforcement authorities did not reveal the identity of the arrested suspect, several news sites report that the suspect is known as Ar3s, a notorious hacker from the Russian-speaking cyber crime underground. The hacker has been active since 2004, and he is credited as the creator of the Andromeda network. Albeit certain entities associated with the hacker have declined to comment, a few sources identify the suspect as Sergei Yarets.
It is still not clear whether only one person was behind this entire network, but the successful crackdown of one of the biggest and oldest botnets clearly proves that joint law enforcement and private company effort can take on even the most festered infections out there.
- Help Net Security. Andromeda botnet dismantled in intentional cyber operation. Help Net Security.
- Danny Palmer. A giant botnet behind one million malware attacks a month just got shut down. ZDNet.
- Reuters. Alleged Cyber Crime Kingpin Arrested in Belarus. Fortune.
- Rafia Shaikh. Microsoft, FBI and Others Partner to Shut Down the Massive Andromeda Botnet. WCCFtech.
- Joe Uchill. Europe, US take down massive Andromeda botnet. The Hill.