CyberCrimeSecuritySecurity Management

Gamarue Botnet Disrupted In Global Operation

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Law enforcement agencies around the world close down long-running botnets powered by Gamarue malware

Police forces around the world have teamed up to disrupt many long-running botnets powered by a malware family dubbed as Gamarue.

The malware also goes by the name of Andromeda or Wauchos, and ESET said it had been approached by Microsoft to help in the takedown.

Gamarue has been around for a very long time now. Indeed, Win32/Gamarue was the most commonly encountered threat in the second half of 2015. It is typically distributed via exploit kits and social engineering.

casper spy botnet facebook

Global Operation

ESET said that the takedown was part of a “year-plus concerted effort that relied on technical intelligence from Microsoft and ESET researchers.”

“ESET, having been approached by Microsoft to join the disruption effort, provided a technical analysis for the operation that ultimately knocked Wauchos for the count,” it added.

“ESET researchers closely tracked the botnets, identified their C&C servers for takedown, and kept tabs on what those spreading the threat were installing on victims’ systems,” the firm said. “Microsoft then contacted law enforcement with information that included: 464 distinct botnets, 80 associated malware families, and 1,214 domains and IP addresses of the botnet’s C&C servers.”

According to EST, Wauchos has around since at least September 2011, having come in five major versions over the years.It is sold on Dark Web as a crime kit.

ESET cited Microsoft figures as pointing out that the infestation was detected or blocked on an average of nearly 1.1 million machines every month over the past six months.

Indeed, ESET said it found dozens of C&C servers every month.

“Wauchos is mostly used to steal credentials, and to download and install additional malware onto a system,” said ESET researcher Jean-Ian Boutin. “Thus, if a system is compromised with Wauchos, it’s likely that there will be several other malware families lurking on the same system.”

Does IoT security concern you?

View Results

Loading ... Loading ...

Once a machine is infected with the botnet, it is typically infested with secondary malware such as Kasidet, which is also known as Neutrino bot. These compromised machines are then used to conduct distributed denial-of-service (DDoS) attacks.

Wauchos has a modular design, allowing it to be easily expanded by plug-ins such as a keylogger and a form grabber. These can steal a user’s personal data. A rootkit meanwhile can be used to hide the malware’s presence.

Botnet Takedowns

“Over the years, intelligence provided by ESET has been instrumental in dismantling a number of criminal operations, including the Dorkbot and Mumblehard botnets, and the Avalanche fast-flux network that was employed by many other botnets,” said ESET.

It is worth noting however that it is Microsoft that has over the years played a leading role in the takedown of various botnets around the world.

Indeed Microsoft has long led the tech industry fight against the scourge of botnets.

Starting with Waledac in March 2010, the company has partnered with other technology firms to gather data on a variety of botnets, built civil cases against the botnet operators, and then seized the domains and command-and-control servers of those operators.

Do you know all about security in 2017? Try our quiz!