On Monday, Europol announced that, the Federal Bureau of Investigation (FBI), in cooperation with several European government and private sector partners, had dismantled the Andromeda botnet, the longest-running botnet in existence.
What is a botnet?
The term “botnet” is a portmanteau of the words “robot” and “network.” A botnet is a network of connected computers infected with malware. Botnets allow malicious actors to remotely control a large network of infected computers. Whoever is in control of the botnet can remotely direct the infected computers to send spam emails and viruses, mine Bitcoins, and record sensitive information by downloading keyloggers.
Botnets are also often employed by cybercriminals to launch denial of service (DoS) attacks. DoS attacks result in an interruption in the target’s services, and the owner of the targeted website must often pay the attackers a fee, or comply with some other demand, to regain control of their site.
The Andromeda Malware
According to the Europol press release, the Andromeda malware was detected or blocked on an average of over one million machines each month. Discovered in 2011, this malware is modular and dynamic. It does not have one particular use, but rather, can be modified for many uses through freely-available modules that function as keyloggers, form grabbers, rootkits, etc. The malware is often used to remotely direct computers on the botnet to install additional malicious software. There are many different versions of Andromeda, and they use a variety of infection methods, among them illegal downloads, phishing campaigns, and malicious attachments.
Connection to the Avalanche Platform
Andromeda was infamously used in the Avalanche network, an international criminal infrastructure platform that was dismantled by an international cyber operation in November 2016. Avalanche was used to launch massive malware attacks across the globe, and caused an estimated EUR 6 million in damages to the online banking system in Germany alone. In addition, experts estimate the malware attacks conducted via Avalanche cost hundreds of millions of euros worldwide.
In the end, taking down Avalanche for good demanded close cooperation from the prosecutorial and investigative arms of 30 national governments. The collaborators used a method called sinkholing to ultimately disable the platform. Sinkholing involves redirecting traffic between infected computers to servers controlled by law enforcement authorities or a security company, usually by assuming the domains used by the criminals.
Information obtained during the Avalanche investigation was shared with the appropriate authorities via Europol during the Andromeda case. Andromeda was subject to 48 hours of sinkholing, during which authorities collected approximately 2 million unique victim IP addresses from 233 countries.
Law enforcement authorities have arrested a suspect in Belarus, but have yet to reveal the suspect’s identity.