Another botnet came crashing down (at least temporarily) yesterday, as a result of an international, public-private collaboration. The effort, led by the Dutch National High-Tech Crime Unit, disrupted Beebone (a.k.a. AAEH) -- a botnet that's small in scale but high in sophistication, based upon a polymorphic downloader that installs a variety of other malware on victim machines, including rootkits and ransomware.
"Operation Source" followed the same model established by "Operation Tovar," which took down the Gameover ZeuS botnet in June. All of the Beebone botnet's domain names were seized and all traffic redirected. The data was distributed to ISPs and CERTs, which could thereby help identify infected machines and help victims remove Beebone -- and the other malware it installed -- from their systems.
Also, like Tovar and recent operations that disrupted Shylock and Hikit, Operation Source tapped the resources of a wide variety of organizations. In addition to the Dutch National High-Tech Crime Unit, agents from the FBI, Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce, and the National Cyber Investigative Joint Task Force worked on the effort. The private sector helped, too, with researchers from Intel Security, Kaspersky Labs, and Shadowserver providing support.
What makes this case a bit different is that Beebone isn't nearly as widespread as some of the prior targets. Although Europol's announcement today states, "it is likely there are many more," the estimate is that there are only about 12,000 Windows client and server machines infected with Beebone (most of which are in the United States).
"The botnet does not seem the most widespread," the release states, "however the malware is a very sophisticated one."
Beebone is polymorphic -- meaning it has the ability to change its form with every infection. In fact, once it's installed, it morphs every few hours. Even though there are only about 12,000 machines infected with the malware, there are over 5 million unique samples of it. This makes it nearly impossible for signature-based anti-virus to block it. Plus, Beebone terminates connections to the IP addresses of security companies and disables tools that try to terminate it.
The malware also spreads like a worm. (Intel's name for it is W32/Worm-AAEH.) It propagates across networks, via removable drives, and through ZIP and RAR archive files.
Once it's there, it's hard to get rid of, and serves as an easy delivery system for other malware with a variety of more vicious payloads. Beebone has downloaded rootkits (including ZeuS and ZeroAccess), ransomware (including CryptoLocker), password stealers (including ZBot), and fake anti-virus.