One of the Largest Botnets in Existence just got Shut Down
Traces of the Andromeda malware family were found in one million machines per month, for the last six months of Europol’s investigation.
A collaborative effort involving Europol’s European Cybercrime Centre, the Joint Cybercrime Action Taskforce, and even the FBI, has just dismantled one of the longest running malware families in existence. The Andromeda malware system was finally killed by the cybercrime law collective after four years of investigation and a co-ordinated offensive finale.
According to Europol, Andromeda’s main goal was to distribute and integrate itself with other malware families, aiding its spread across the world. To this end, the software was very successful – the investigation ultimately discovered its associations with at least 80 other malware families.
In more practical terms, the Andromeda family was so virulent that its traces were detected in an average of 1 million machines every month, over the last six months. The malware was also favoured by Avalanche – a major phishing group – which was successfully dismantled in 2016 following a four-year long cyber-operation with some of the agencies involved in the current investigation.
Europol claims that one of the core components of ultimately destroying Andromeda involved aggressively attacking over 1,500 domains which were involved in spreading the software. In a 48 hour window of this sinkholing operation (which rerouting infected traffic to servers to and from malicious organisations to law enforcement instead), Microsoft identified over 2 million unique Andromeda victim IP addresses from over 223 IP regions.
Sinkholing has been found to be efficient enough to extend the tactic’s use as the Avalanche investigation continues. Globally, 55% of the computer systems originally infected by Avalanche remain infected today.
Steven Wilson, the Head of Europol’s European Cybercrime Centre, said: “This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.”
The Andromeda and Avalanche investigations have involved the participation of the following EU Member States: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom. The following non-EU Member States were also involved: Australia, Belarus, Canada, Montenegro, Singapore and Taiwan.