Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:45 PM
Connect Directly

Beebone Botnet Taken Down By Another Security Team-Up

Small in scale, but high in sophistication, the Beebone botnet and polymorphic downloader is disrupted by an international, public-private effort.

Another botnet came crashing down (at least temporarily) yesterday, as a result of an international, public-private collaboration. The effort, led by the Dutch National High-Tech Crime Unit, disrupted Beebone (a.k.a. AAEH) -- a botnet that's small in scale but high in sophistication, based upon a polymorphic downloader that installs a variety of other malware on victim machines, including rootkits and ransomware.

"Operation Source" followed the same model established by "Operation Tovar," which took down the Gameover ZeuS botnet in June. All of the Beebone botnet's domain names were seized and all traffic redirected. The data was distributed to ISPs and CERTs, which could thereby help identify infected machines and help victims remove Beebone -- and the other malware it installed -- from their systems.

Also, like Tovar and recent operations that disrupted Shylock and Hikit, Operation Source tapped the resources of a wide variety of organizations. In addition to the Dutch National High-Tech Crime Unit, agents from the FBI, Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce, and the National Cyber Investigative Joint Task Force worked on the effort. The private sector helped, too, with researchers from Intel Security, Kaspersky Labs, and Shadowserver providing support.

What makes this case a bit different is that Beebone isn't nearly as widespread as some of the prior targets. Although Europol's announcement today states, "it is likely there are many more," the estimate is that there are only about 12,000 Windows client and server machines infected with Beebone (most of which are in the United States).

"The botnet does not seem the most widespread," the release states, "however the malware is a very sophisticated one."

Beebone is polymorphic -- meaning it has the ability to change its form with every infection. In fact, once it's installed, it morphs every few hours. Even though there are only about 12,000 machines infected with the malware, there are over 5 million unique samples of it. This makes it nearly impossible for signature-based anti-virus to block it. Plus, Beebone terminates connections to the IP addresses of security companies and disables tools that try to terminate it. 

The malware also spreads like a worm. (Intel's name for it is W32/Worm-AAEH.) It propagates across networks, via removable drives, and through ZIP and RAR archive files. 

Once it's there, it's hard to get rid of, and serves as an easy delivery system for other malware with a variety of more vicious payloads. Beebone has downloaded rootkits (including ZeuS and ZeroAccess), ransomware (including CryptoLocker), password stealers (including ZBot), and fake anti-virus. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/14/2015 | 10:53:37 AM
Threats become more complex
As this article points out botnets are becoming more sophisticated. Malware world come to a point that it does not matter whether your devices is connected or not, they now target all devices in use. That is quite scary.
User Rank: Ninja
4/14/2015 | 10:43:40 AM
Re: Beebone Botnet Taken Down
I agree freespiritny25. We rarely heard anybody getting punished because of harm they caused in cyber space.
User Rank: Ninja
4/14/2015 | 10:42:01 AM
Re: But has anyone been arrested?
They may get arrested, that is not being publicized as well as the cyber attack they executed.
User Rank: Ninja
4/14/2015 | 10:39:02 AM
One down?
It is good news that we have handle on this one. One down to many to go.
User Rank: Apprentice
4/11/2015 | 12:46:03 PM
Re: Beebone Botnet Taken Down
I agree..I think there needs to be more consequences.
Some Guy
Some Guy,
User Rank: Moderator
4/10/2015 | 3:13:27 PM
But has anyone been arrested?
Taking a botnet down is necessary, but IMHO, falls far short of sufficient.

Did anyone get arrested?

Did any funds get siezed?

Yakov Smirnov in his comedy routines used to talk about warning shots. They shot you and that was warning to the next guy. Until we get to that point with cybercrime, we are just bailing the ocean.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.