International Operation Takes Down Beebone Botnet

This week a coordinated international effort by law enforcement agencies and private sector partners took down Internet domains known to be hosting the Beebone (also known as AAEH) botnet, which acted as a “downloader,” installing other forms of malicious software on victims’ computers without their consent or knowledge. The secondary infections installed by Beebone included software that stole banking logins and passwords, as well as fradulent anti-virus software and ransomware.

Initial figures show that over 12,000 computers have been infected, however it is likely there are many more.

The FBI and National Cyber Investigative Joint Task Force-International Cyber Crime Coordination Cell joined forces with Europol’s European Cybercrime Center (EC3) and Joint Cybercrime Action Taskforce (J-CAT) and the Dutch National High Tech Crime Unit in the operation.

Led by the Dutch National High Tech Crime Unit, cyber liaison officials from US and Europe were assisted by industry in the form of Intel Security, Kaspersky and Shadowserver. Eurojust also provided assistance to the operation.

The botnet was "sinkholed" by registering, suspending or seizing all domain names with which the malware could communicate and traffic was then redirected. Data would be distributed to the Internet Service Providers and Computer Emergency Response Teams around the world in order to inform the victims. The botnet does not seem widespread, however, the malware is very sophisticated, allowing multiple forms of malware to compromise the security of the victims’ computers.

The FBI, working with foreign partners, and the US Attorney’s Office for the Southern District of New York and the Computer Crime and Intellectual Property Section within the Department of Justice seized approximately 100 domain names used by the botnet.

FBI Assistant Director for Cyber Joseph Demarest, Jr. said, “Botnets like Beebone have victimized users worldwide, which is why a global law enforcement team approach working with the private sector is so important.”

To illustrate the sophisticated nature of this threat, there are currently over 5 million unique W32/Worm-AAEH samples, with more than 205,000 samples from 23,000 systems in 2013-2014. These systems are spread across more than 195 countries, demonstrating the threat’s global reach. The United States reported the greatest number of infections followed by Japan, India and Taiwan.

Europol said in a statement that F-Secure, Intel Security, Symantec and TrendMicro have all released a remedy to clean and restore infected computers’ defenses. For those who fear their computer may have been infected, EC3 recommends downloading specialist disinfection software.