French Cyber Police Takedown Paris-based Botnet

Tom Jowitt,
ENISA botnet report, Mirai

C3N cybercrime unit, along with the FBI and Avast, take down French botnet that infected 850,000 computers

French cyber police have reportedly taken down a botnet, that infected more that 850,000 computers, mostly in South America.

According to AFP, the operation began in March 2019 when Czech antivirus firm Avast alerted the Cybercrime Fighting Center (C3N) of the French National Gendarmerie, about a virus called Retadup, that was being controlled by a server in the Paris region.

Retadup infected hundreds of thousands of Windows-operating computers, in over 100 countries but mostly in Central and South America. The virus attack route was an email that offered either easy money or erotic pictures.

Botnet takedown

The C3N unit worked with the FBI and Avast to take down the malware, and in a “world first” also reportedly removed the malware from the infected computers.

“It’s a huge operation” given the number of computers infected, Gerome Billois, a cybersecurity expert at the French IT services firm Wavestone was reported by AFP as saying.

“Retadup is a malicious worm affecting Windows machines throughout Latin America,” wrote Avast. “Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. However, in some cases, we have also observed Retadup distributing the Stop ransomware and the Arkei password stealer.”

Avast apparently proposed a technique to disinfect Retadup’s victims, by utilising a design flaw in the botnet’s C&C communication protocol.

“In accordance with our recommendations, C3N dismantled a malicious command and control (C&C) server and replaced it with a disinfection server,” wrote Avast. “The disinfection server responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct. At the time of publishing this article, the collaboration has neutralized over 850,000 unique infections of Retadup.”

They then ordered all the infected computers to uninstall the Retadup malware, which police said was allowing the pirates to create the Monero cryptocurrency. It was also used in ransomware attacks and for stealing data.

It is reported that the hackers were able to make millions of euros since they created the botnet in 2016. The suspects are reportedly still at large.

Install AV

“Don’t click on links if you’re not sure who sent you the email,” Colonel Jean-Dominique Nollet, head of the C3N unit, told France Inter radio on Tuesday.

“Don’t click on attachments either, and use up-to-date antivirus programmes, even free ones,” Nollet said. “And try not to do anything stupid on the internet.”

Avast reportedly said that nearly 85 percent of the infected computers did not have antivirus programmes, while others had them but they had been deactivated.

It is common for law enforcement agencies to co-operate with global partners when tackling cyber crime.

In 2017 for example, police forces around the world teamed up to disrupt many long-running botnets powered by a malware family dubbed as Gamarue.

Do you know all about security? Try our quiz!