A few days ago the news, passed over in silence as usual, of the dismantling of the botnet Andromeda following an international cyber operation led by EUROPOL.
The botnet was operational for several years ...
But let's start from the beginning: what is a botnet?
For those unfamiliar with the cyber world, the terminology can be a problem and you risk getting lost among neologisms without understanding the concept, so I will try to be as clear as possible avoiding the use of technicalities.
A botnet is a network of infected computers (I use the term computer extensively, including mobile devices, etc.). The infecting agent is called "bot", and in the case of Andromeda it is a "trojan", while infected computers are called "zombies". A botnet is governed by a "bot master" who uses its resources for its generally malicious purposes.
The Andromeda botnet is, or perhaps it is better to say "era", a network known since 2011. It is also known by the names of "Gamarue" and "Wauchos". It operates on devices equipped with Windows 2000 Operating Systems, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit), all belonging to the Microsoft Windows OS family. The trojan Andromeda is able to perform several operations: it can check if it is running, can download and run files, operate as a remote control system and, if necessary, can uninstall from the infected machine to erase the traces of its presence, it is also able to connect to a number of malicious sites. Once installed in the system makes copies of itself that distributes in various parts of the Operating System to ensure survival.
According to Microsoft, the botnet spread over 223 different countries and could use more than 2 millions of infected devices (but it seems that the numbers are much larger) through which it could perform various types of operations in addition to the more common Distributed Denial of Service (DDoS).
It is not the first time that a cyber operation dismantles a botnet but generally part of the botnet is still active and can potentially be used by those who are able to take possession of it. It is also necessary to consider the fact that Andromeda and its variants have been on sale for years and have been used to install other botnets, such as for example Neutrino, and then uninstalled to delete link trace.
The dismantling of the Andromeda botnet, by a joint operation between FBI, EUROPOL and the German police, is considered an important step because it is thought that this network has been used to support another botnet known as Avalanche, in turn, sanctified at the end of the 2016. For Andromeda a Belarusian of 37 years has been arrested.
The use of online tools allows us to verify the diffusion of the Trojan and its variants and it is possible to see that after the dismantling of Andromeda continue to exist variants active throughout the world.
As you can see from the map the infection has spread mainly in Europe, India, Central and South America.
Italy is also very affected and I am surprised by the lack of an awareness campaign that should include a minimum of information on how to detect the infection and its removal. Unfortunately, in Italy there is still the right sensitivity to this kind of problems that are thought to be the prerogative of the technicians.
Nothing could be more wrong. It is not the technicians who decide the approach to the cyber world, this is the task of the decision-makers who naturally must be able to understand what the problem is and how to behave at their level, perhaps simply by increasing the number of security experts in their company or reserving a greater share of resources for the cyber sector.
But what can one say from the military point of view?
In general, a botnet is a complex structure, which means that it takes time to put it on its feet and maintain it. Furthermore, attention and experience need to be kept to keep it secret, waiting to be used.
A large military organization at the state level may have an interest in creating one or more botnets to be used for cyber operations. A botnet is certainly useful in the preparation phase of a carefully planned APT (Advanced Persistent Threat) attack.
In principle, a botnet can be used for the preparation of a complex cyber attack such as a DDoS or for gathering information. But this does not seem to be the case with Andromeda. This does not mean that Andromeda it could also have been used for military operations and some connections with an APT cyber operation called Operation Transparent Tribe against Indian military and diplomatic personnel in the 2016 have been noted.
One thing is certain, destroyed a botnet, surely a new one will be created!
To learn more:
- https://www.certnazionale.it/news/2017/12/06/smantellata-la-botnet-andro...
- https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-...
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROMEDA;
- http://resources.infosecinstitute.com/andromeda-bot-analysis/;
- https://www.itnews.com.au/news/police-security-vendors-take-down-androme...
- http://www.virusradar.com/en/Win32_KillAV/map;
- https://www.itworldcanada.com/article/canadian-threat-researchers-help-t...
- https://www.welivesecurity.com/2017/12/04/eset-helps-law-enforcement-wor...
- https://www.us-cert.gov/ncas/alerts/TA16-336A;
- https://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link...
https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-....
