International law enforcement activity has taken out the Beebone botnet, seizing approximately 100 internet domain names used by the botmaster to communicate with infected Windows computers.
Instead of calling home to servers controlled by cybercriminals, botted or zombified computers now connect to a sinkhole server operated by Europol’s European Cybercrime Centre (EC3).
EC3 will coordinate with internet service providers to identify victims and help them clean up the malware.
The Beebone botnet (also called AAEH, among other names) controlled at least 12,000 infected computers in dozens of countries around the world, although the number of infected PCs is probably “much higher,” according to EC3.
Beebone acts as a downloader, typically installing another malware in a family known as Vobfus (pronounced “vee-ob-fuss”, because it is delivered in the form of heavily obfuscated, or disguised, Visual Basic code).
Once Beebone/Vobfus is on your computer, the botnet operators can instruct it to download yet more malware, such as banking Trojans, password-stealers, spyware or ransomware.
SophosLabs researchers have been tracking Beebone/Vobfus for several years, and we previously wrote about this threat back in November 2012.
Back then, a variant known as W32/VBNA-X quickly became widespread.
Many of the Beebone/Vobfus variants have similar self-spreading capabilities, meaning that they are technically computer viruses.
→ Most malware samples you’ll see these days are Trojan Horses, loosely meaning “programs that do bad things you would never have agreed to if only you had known in advance.” They don’t spread by themselves, but rely on techniques such as tricky emails and poisoned web pages for dissemination. Viruses, however, are Trojans that can spread themselves.
Beebone/Vobfus can spread automatically across your network and to removable drives, typically creating an program file in the root folder with a filename such as:
Beebone/Vobfus samples change very frequently, so this is what is known as a polymorphic, or shape-shifting, threat.
For example, when the malware copies itself across your network, the destination files are modified during the copy.
The copied programs will have the same behavior as the original, but using a different sequence of program instructions so that no two files are byte-for-byte identical.
(My colleague Paul Ducklin provides an example: Mr. Paul Ducklin and DUCKLIN, PAUL refer to the same person, yet the two text strings are different.)
Of course, if one of those mutated copies is run, it will, in turn, create a whole raft of newly modified copies in turn.
Indeed, the malware changes so often that there are now over 5 million unique samples, according to EC3.
The idea of this sort of self-modification is to defeat naive malware checking systems that rely on a list of known-bad files.
Products like Sophos Anti-Virus, however, are able to detect polymorphic malware without needing to enumerate every possible file that might be produced.
Analysing a program before it runs to see how it would behave allows you to identify polymorphic malware generically; if that fails, monitoring what a program does when it runs gives you a second chance to identify and block malicious behavior.
What to do?
You can check your computer to see if it’s infected with Beebone/Vobfus, and quickly remove the malware, using the Sophos Free Virus Removal Tool.
Note. Sophos products block the malware described in this article with a wide array of sample names, including Mal/SillyFDC-*, Troj/Vb-FWD, Mal/VBCheMan-*, HPmal/OSMod-A, Mal/Vobfus-* and Troj/Paskod-A.
Learn more about botnets
Hear all about botnets from Sophos experts and Naked Security writers Paul Ducklin and James Wyke in our Techknow podcast entitled Understanding Botnets. They explain, in plain English, the what, why and how of bots, botnets and cybercrime.
Free Virus Removal Tool
The Sophos Free Virus Removal Tool works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.
Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.