A relatively small yet troublesome botnet has been shut down in a joint operation between U.S. and European law enforcement and a number of private security companies, including Kaspersky Lab.
The takedown of Beebone was carried out on Wednesday by the FBI, the Department of Homeland Security, Europol and Dutch authorities. Also known as AAEH, Beebone was a polymorphic downloader used to infect 12,000 computers worldwide and distribute banking malware, ransomware and other spyware.
An advisory from DHS said Beebone bots could spread across networks, or infect machines via removable drives, or as ZIP or RAR attachments. The advisory said the malware is capable of changing its form with every infection, morphing every two hours in some cases. DHS said the downloader has been used spread Zeus, ZeroAccess, Cutwail and CryptoLocker malware.
In addition to its polymorphic nature, Beebone goes to great lengths to evade detection by antivirus and IPS tools. It does so by blocking connections to IP address blocks associated with security companies’ networks, or by disabling antivirus and other security tools on infected machines.
The takedown is the latest cooperative effort between international law enforcement agencies. The Dutch National High Tech Crime Unit and the Joint Cybercrime Action Taskforce led the operation along with Europol’s European Cybercrime Centre (EC3), the FBI, and U.S-based representatives at the National Cyber Investigative Joint Task Force- International Cyber Crime Coordination Cell (IC4). Kaspersky Lab, Shadowserver and Intel Security also assisted in the takedown, which was carried out on Wednesday when the botnet was sinkholed.
All the domains used for communication by the botnet were seized and traffic from victims to command and control servers redirected.
“This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime,” said Europol deputy director of operations Wil van Gemert. “We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes. Together with the EU Member States and partners around the globe, our aim is to protect people worldwide against these criminal activities.”
Europol said there are five million unique AAEH, or Beebone, samples in the wild. More than 205,000 samples were collected from 23,000 infected systems in the last two years. Most of the infections occurred in the United States, but computers in 195 countries were infected.