Europol And Security Firms Take Down ‘Polymorphic’ Beebone Botnet

Steve McCaskill,
ENISA botnet report, Mirai

Joint operation between authorities and security firms helps to take down ‘wormlike’ Beebone

Europol and a number of security firms have successfully taken down the ‘polymorphic’ Beebone botnet, which infected thousands of computers across the world.

The international police operation known as ‘Operation Source’ enlisted the support of Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Taskforce (J-CAT), Dutch authorities and security firms Intel Security, Kaspersky and Shadowserver to take down the threat.

Beebone is not the most widespread botnet encountered by authorities, but it is among the most sophisticated, infecting systems with multiple forms of malware including banking password stealers, rootkits, fake antivirus and ransomware.

Beebone botnet

BotnetIt spread not only across networks, but also through removable drives and CDs as well as through ZIP and RAR files.

The authorities and security companies involved created tools to ‘sinkhole’ the botnet by suspending or seizing all domain names with which the malware could communicate and traffic was redirected. In total, 100 domains were taken down by the operation.

Intel Security, which first became aware of the botnet in March 2014, said that at one of Beebone’s peaks, more than 100,000 infections were detected by the McAfee Labs team. As this figure only includes telemetry from Intel, is likely the figure was much higher.

“Intel Security, along with a global law enforcement collaboration including the Dutch High Tech Crime Unit, Europol, and FBI, this week has successfully dismantled the polymorphic worm known as W32/Worm-AAEH/Beebone,” said Raj Samani, Intel Security EMEA CTO. “Intel Security is aware of more than 5 million unique AAEH samples with more than 100,000 machines from 200 countries identified.

Successful cooperation

Europol itself said at least 12,000 systems were infected, but also said the actual figure is likely to be higher. Infections were detected in 195 countries, with the US, Japan, India and Taiwan encountering the most.

Data will now be distributed to ISPs (Internet Service Providers) and CERTs (Computer Emergency Response Teams) around the world, so the victims can be informed they have been affected.

“This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime,” said Wil van Gemert, Europol’s deputy director of operations. “We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes.”

 Are you a security guru? Try our quiz!