Global law enforcers claim to have dismantled the infrastructure used to deliver the infamous Andromeda malware — one of the longest running families around.
A joint operation comprising the FBI, Germany’s Luneburg Central Criminal Investigation Inspectorate, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and private-sector firms including Microsoft took place on November 29.
The Andromeda botnet is said to have been associated with 80 malware families, many of which it helped to distribute, and was detected on over one million machines every month.
Participating police used experience gained in dismantling the infamous Avalanche cybercrime infrastructure to help them with this operation.
Some 1500 domains were sinkholed by Microsoft over a 48-hour period, during which time around two million unique victim IP addresses from a staggering 223 countries were captured, according to Europol.
Police also made one arrest, of a suspect in Belarus.
ESET claimed that Andromeda, also known as Gamarue, became so popular that multiple independent botnets sprung up around the world.
“Created by cybercriminals in September 2011, and sold as a crime-kit on the Dark Web in underground forums, the purpose of the Gamarue family was to steal credentials and to download and install additional malware onto users’ systems,” the firm explained.
“This malware family is a customizable bot, which allows the owner to create and use custom plugins. One such plugin allows the cyber-criminal to steal content entered by users in web forms while another enables criminals to connect back and control compromised systems.”
EC3 boss, Steven Wilson, hailed the operation’s success as proof that public-private partnerships like this can work.
“This is another example of international law enforcement working together with industry partners to tackle the most significant cyber-criminals and the dedicated infrastructure they use to distribute malware on a global scale,” he added.
However, law enforcers have been forced to continue their work to disrupt Avalanche, highlighting the persistence of cybercrime infrastructure.
Over half (55%) of systems originally infected with the malware are still infected today, meaning sinkhole measures have been extended for another year.