Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/9/2015
01:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Beebone Botnet Taken Down By Another Security Team-Up

Small in scale, but high in sophistication, the Beebone botnet and polymorphic downloader is disrupted by an international, public-private effort.

Another botnet came crashing down (at least temporarily) yesterday, as a result of an international, public-private collaboration. The effort, led by the Dutch National High-Tech Crime Unit, disrupted Beebone (a.k.a. AAEH) -- a botnet that's small in scale but high in sophistication, based upon a polymorphic downloader that installs a variety of other malware on victim machines, including rootkits and ransomware.

"Operation Source" followed the same model established by "Operation Tovar," which took down the Gameover ZeuS botnet in June. All of the Beebone botnet's domain names were seized and all traffic redirected. The data was distributed to ISPs and CERTs, which could thereby help identify infected machines and help victims remove Beebone -- and the other malware it installed -- from their systems.

Also, like Tovar and recent operations that disrupted Shylock and Hikit, Operation Source tapped the resources of a wide variety of organizations. In addition to the Dutch National High-Tech Crime Unit, agents from the FBI, Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce, and the National Cyber Investigative Joint Task Force worked on the effort. The private sector helped, too, with researchers from Intel Security, Kaspersky Labs, and Shadowserver providing support.

What makes this case a bit different is that Beebone isn't nearly as widespread as some of the prior targets. Although Europol's announcement today states, "it is likely there are many more," the estimate is that there are only about 12,000 Windows client and server machines infected with Beebone (most of which are in the United States).

"The botnet does not seem the most widespread," the release states, "however the malware is a very sophisticated one."

Beebone is polymorphic -- meaning it has the ability to change its form with every infection. In fact, once it's installed, it morphs every few hours. Even though there are only about 12,000 machines infected with the malware, there are over 5 million unique samples of it. This makes it nearly impossible for signature-based anti-virus to block it. Plus, Beebone terminates connections to the IP addresses of security companies and disables tools that try to terminate it. 

The malware also spreads like a worm. (Intel's name for it is W32/Worm-AAEH.) It propagates across networks, via removable drives, and through ZIP and RAR archive files. 

Once it's there, it's hard to get rid of, and serves as an easy delivery system for other malware with a variety of more vicious payloads. Beebone has downloaded rootkits (including ZeuS and ZeroAccess), ransomware (including CryptoLocker), password stealers (including ZBot), and fake anti-virus. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/14/2015 | 10:53:37 AM
Threats become more complex
As this article points out botnets are becoming more sophisticated. Malware world come to a point that it does not matter whether your devices is connected or not, they now target all devices in use. That is quite scary.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/14/2015 | 10:43:40 AM
Re: Beebone Botnet Taken Down
I agree freespiritny25. We rarely heard anybody getting punished because of harm they caused in cyber space.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/14/2015 | 10:42:01 AM
Re: But has anyone been arrested?
They may get arrested, that is not being publicized as well as the cyber attack they executed.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/14/2015 | 10:39:02 AM
One down?
It is good news that we have handle on this one. One down to many to go.
freespiritny25
50%
50%
freespiritny25,
User Rank: Apprentice
4/11/2015 | 12:46:03 PM
Re: Beebone Botnet Taken Down
I agree..I think there needs to be more consequences.
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
4/10/2015 | 3:13:27 PM
But has anyone been arrested?
Taking a botnet down is necessary, but IMHO, falls far short of sufficient.

Did anyone get arrested?

Did any funds get siezed?

Yakov Smirnov in his comedy routines used to talk about warning shots. They shot you and that was warning to the next guy. Until we get to that point with cybercrime, we are just bailing the ocean.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...