The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Andromeda Strained - International Cyber Op Dismantles Botnet

11 December 2017 | Updated 01 January 1970
 

On November 29, the Federal Bureau of Investigation, in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and private-sector partners, dismantled one of the longest running malware families in existence called Andromeda (also known as Gamarue).

This widely distributed malware created a network of infected computers called the Andromeda botnet. According to Microsoft, Andromeda’s main goal was to distribute other malware families. Andromeda was associated with 80 malware families and in the last six months, it was detected on or blocked an average of over 1 million machines every month.

Andromeda was also used in the infamous Avalanche network, which was dismantled in a huge international cyber operation in 2016.

Steven Wilson, the Head of Europol’s European Cybercrime Centre, said: “This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.”

 

Avalanche

One year ago, on 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Luneburg Police in Germany, the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust and global partners, had dismantled the international criminal infrastructure Avalanche. This was used as a delivery platform to launch and manage mass global malware attacks such as Andromeda and money mule recruitment campaigns.

Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year’s investigations to dismantle Andromeda.

Jointly, the international partners took action against servers and domains, which were used to spread the Andromeda malware. Overall, 1500 domains of the malicious software were subject to sinkholing (see below for explanation). According to Microsoft, during 48 hours of sinkholing, approximately 2 million unique Andromeda victim IP addresses from 223 countries were captured. The involved law enforcement authorities also executed the search and arrest of a suspect in Belarus.

 

Avalanche - 55% still infected

Simultaneously, the German sinkhole measures of the Avalanche case have been extended by another year. An extension of this measure was necessary, as globally 55 per cent of the computer systems originally infected in Avalanche are still infected today.

The measures to combat the malicious Andromeda software as well as the extension of the Avalanche measures involved the following EU Member States: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom, and the following non-EU Member States: Australia, Belarus, Canada, Montenegro, Singapore and Taiwan.

The operation was supported by the following private and institutional partners: Shadowserver Foundation, Microsoft, Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI).

The operation was coordinated from the command post hosted at Europol’s HQ.

 

Botnets

Botnets are networks of computers infected with malware, which are under the control of a cybercriminal. Botnets allow criminals to harvest sensitive information from infected computers, such as online banking credentials and credit card information. A criminal can also use a botnet to perform cyberattacks on other computer systems, such as denial-of-service attacks.

 

Sinkholing

Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. When employed at a 100% scale, infected computers can no longer reach the criminal command-and-control computer systems and criminals can therefore no longer control the infected computers. The sinkholing infrastructure captures victims’ IP addresses, which can subsequently be used for notification and follow-up through dissemination to National CERTs and network owners.

Picture: One of the longest running malware families in existence – Andromeda (also known as Gamarue) –  has been dismantled

Article written by Brian Shillibeer | Published 11 December 2017

Share


Related Articles

Mercury Rising, Straw Dogs, Hot Fuzz, Top Guns, The Crown & Vikings

We've got an FM Digest so good you'd almost want to make a movie out of it. Mercury have taken the Almac contract; Elior are eliminating plastic straws; Tenon are...

 Read Full Article
Skanska Wins Contract for 20 Ropemaker Street

Skanska has won a £240 million contract to construct 20 Ropemaker Street in Central London for Great Elm Assets Limited, in association with Old Park Lane...

 Read Full Article
X Marks The Spot Of The Tallest Tower In Town

The City of London Corporation has approved 1 Undershaft - AKA The Trellis - which will be the second tallest building in the Capital after The Shard and thus the second...

 Read Full Article
Airline Company Guilty For Unsafe Operation of Passenger Lift

Flybe, the airline company, was sentenced on 4 February 2020 for the unsafe operation of a passenger lift. Meanwhile, a number of other firms have found themselves...

 Read Full Article
A Top Ten Guide To Making Your Venue More Accessible

Eight venues have received awards from the disabled access charity Euan’s Guide for their work welcoming disabled visitors – and this prompted ThisWeekinFM to...

 Read Full Article
Tackling The People Challenge Through Technology

Report - CBRE and ThisWeekinFM recently lead a delegation of experts to provide a briefing on technology in workplace and real estate strategy. The breakfast briefing...

 Read Full Article
Net Zero Rush-Through Criticised By Lords, Forum Claims

The Global Warming Policy Forum has claimed the House of Lords has rebuked the Government for rushing through a commitment to a Net Zero economy. The Forum refutes the...

 Read Full Article
Holland Match - It's All Gone Gooee Over There

ProptTech history has been made with global M&E firm Croonwolter&dros agreeing to connect the 5,000 commercial buildings it runs in the Netherlands  to the...

 Read Full Article
'IRA' Claim Parcel Bomb Responsibility In Correctly Coded Call

A claim has allegedly been made on behalf of the ‘IRA’ for the parcel bombs that were delivered to premises in the UK - using a recognised codeword. A call...

 Read Full Article
Emcor UK Takes Insurance On TFM Contract

Emcor UK, has been awarded a contract with multinational insurance company RSA Insurance Group which is being described as a total facilities management contract. It will...

 Read Full Article