ESET takes down major botnet operation

Chong Vin Nee
21 Dec 2017
00:00

Earlier this month, security researchers at ESET, in collaboration with Microsoft and law enforcement agencies – the Federal Bureau of Investigation (FBI), Interpol, Europol, and other stakeholders in cybersecurity – took down a major botnet operation known as Gamarue.

The botnet, detected by ESET as Win32/TrojanDownloader.Wauchos, has been infecting victims since 2011.

Through a coordinated takedown, law enforcement agencies across the globe were able to make an arrest and obstruct activity of the malware family responsible for infecting more than 1.1 million systems per month.

ESET and Microsoft researchers shared technical analysis, statistical information, and known command control (C&C) servers’ domains to help disrupt the malicious activity of the group. ESET also shared its historical knowledge of Gamarue, gained from the continuous monitoring of the malware and its impact on users over the past few years.

Created by cybercriminals in September 2011 and sold as a crime-kit on the Dark Web in underground forums, the purpose of the Gamarue family was to steal credentials and download and install additional malware onto users’ systems.

This malware family is a customizable bot, which allows the owner to create and use custom plugins. One such plugin allows the cybercriminal to steal content entered by users in web forms while another enables criminals to connect back and control compromised systems.

Its popularity has resulted in a number of independent Gamarue botnets in the wild. In fact, ESET found that its samples have been distributed across the globe through social media, instant messaging, removable media, spam, and exploit kits.

Cybercriminals have traditionally used Gamarue to target home users to steal credentials from websites through its form grabber plugin. However, ESET researchers have recently seen the malware being used to install various spam bots onto compromised machines in a so-called pay-per-install scheme.

Using ESET Threat Intelligence service, ESET researchers were able to build a bot that could communicate with the threat’s C&C server. Consequently, ESET and Microsoft were able to closely track Gamarue’s botnets for the past year and a half, identifying their C&C servers for takedown and monitoring what was installed on victims’ systems. The two companies have since compiled a list of all of the domains used by the cybercriminals as C&C servers.

“In the past, Wauchos has been the most detected malware family amongst ESET users, so when we were approached by Microsoft to take part in a joint disruption effort against it, to better protect our users and the general public at large, it was a no-brainer to agree,” ESET senior malware researcher Jean-Ian Boutin said.

“This particular threat has been around for several years now and it is constantly reinventing itself – which can make it hard to monitor. But by using ESET Threat Intelligence and by working collaboratively with Microsoft researchers, we have been able to keep track of changes in the malware’s behavior and consequently provide actionable data which has proven invaluable in these takedown efforts.

First published in eGov Innovation

Related content

Follow Telecom Asia Sport!
Comments
No Comments Yet! Be the first to share what you think!
This website uses cookies
This provides customers with a personalized experience and increases the efficiency of visiting the site, allowing us to provide the most efficient service. By using the website and accepting the terms of the policy, you consent to the use of cookies in accordance with the terms of this policy.