Header Ads

ESET took part in the liquidation of the Gamarue botnet

ESET, together with Microsoft and law enforcement agencies, including the FBI, Interpol, and Europol, has defused the botnet network Gamarue (Andromeda), which has been in effect since 2011.
The operation started on November 29. In the framework of the liquidation project, a network of 464 separate botnets was disposed of, infecting more than 1.1 million computers every month.

Neutralized the infrastructure of the botnet - 1214 domains and IP-addresses, which were used by operators as management and control servers (C & C).

ESET took on the technical aspects of the preparation of the operatio
n. Together with Microsoft, the company carried out a threat analysis, provided statistics and information about the Gamarue infrastructure. In addition, ESET shared the results of long-term observations of the botnet and malicious programs that were distributed with its help.

The Gamarue family of malware (Wauchos, according to the ESET classification) was created in September 2011 and was sold on a dark web called Andromeda bot. The bot was in demand, so at the time of elimination, hundreds of independent botnets operated in the world. Operators Gamarue used for its distribution different ways: social networks, instant messengers, removable media, spam mailing, sets of exploits.

The Gamarue family is designed to steal credentials, download and execute other malware on infected systems. But operators can modify the bot by implementing additional modules. So, one of the modules allows attackers to intercept data entered by users into web forms (form grabber), the other is to connect to a compromised system and remotely control it.

In preparation for the liquidation of Gamarue, ESET specialists collected information on botnets using the ESET Threat Intelligence telemetry service. They managed to create a bot that connected to the controlling servers of the attackers. With his help, ESET and Microsoft specialists monitored Gamarue for a year and a half, identified servers and other malicious programs downloaded to victim systems. As a result of this work, ESET and Microsoft compiled a list of all domains used by Gamarue operators as management servers.

"In the past, Wauchos was leading in the number of attacks reflected by ESET products, so when Microsoft offered to participate in the operation and protect users, our decision was obvious," commented Jean-Yen Buten, senior virus analyst at ESET. - The threat existed and improved for several years, which made monitoring difficult. Nevertheless, thanks to ESET Threat Intelligence, we were able to track changes in the behavior of the Malvern and contribute to the operation

Powered by Blogger.