Andromeda Botnet Returns With Souped-Up Stealth Skills

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Malware drops in a modular fashion making it harder for security products to pick it up

A botnet named Andromeda has resurfaced and is trying to shove backdoors into machines across the world, a security firm has warned.

The threat itself arrives via spammed messages with malicious attachments, or links to compromised websites hosting Blackhole Exploit Kit. Variants of the Andromeda malware can be bought on the Internet underground for as much as $500.

Botnet comes back

ENISA botnet reportBut there are a number of plugins available for more money, which can do a variety of things, including keylogging and installing rootkits to hide the malicious software from security protections.

Australia, Turkey, and Germany are the top targeted countries, according to Trend Micro.

Thanks to the modular aspect of the Andromeda botnet, scanning technologies may struggle to pick up the threat. The malware even drops in a modular fashion, rather than in one lump file, making detection a little trickier.

“The perpetrators behind Andromeda have improved the malware’s propagation routines to proliferate itself by dropping several component files, one of which creates the registry key containing an encrypted .DLL file for its propagation,” Trend noted in a blog post.

“To some degree, these threats can be evaded by not opening links or attachments in suspicious emails, although with well-crafted emails this can be difficult.”

Andromeda was first spotted in late 2011, but was quiet throughout 2012. It’s likely the creators were improving their malicious software before relaunching in earnest.

Are you a security expert? Try our quiz!

 

Read also :