International law enforcement activity has taken out the Beebone botnet, seizing approximately 100 internet domain names used by the botmaster to communicate with infected Windows computers.
Instead of calling home to servers controlled by cybercriminals, botted or zombified computers now connect to a sinkhole server operated by Europol’s European Cybercrime Centre (EC3).
EC3 will coordinate with internet service providers to identify victims and help them clean up the malware.
The Beebone botnet (also called AAEH, among other names) controlled at least 12,000 infected computers in dozens of countries around the world, although the number of infected PCs is probably “much higher,” according to EC3.
Beebone acts as a downloader, typically installing another malware in a family known as Vobfus (pronounced “vee-ob-fuss”, because it is delivered in the form of heavily obfuscated, or disguised, Visual Basic code).
Once Beebone/Vobfus is on your computer, the botnet operators can instruct it to download yet more malware, such as banking Trojans, password-stealers, spyware or ransomware.
SophosLabs researchers have been tracking Beebone/Vobfus for several years, and we previously wrote about this threat back in November 2012.
Back then, a variant known as W32/VBNA-X quickly became widespread.
Many of the Beebone/Vobfus variants have similar self-spreading capabilities, meaning that they are technically computer viruses.
→ Most malware samples you’ll see these days are Trojan Horses, loosely meaning “programs that do bad things you would never have agreed to if only you had known in advance.” They don’t spread by themselves, but rely on techniques such as tricky emails and poisoned web pages for dissemination. Viruses, however, are Trojans that can spread themselves.
Beebone/Vobfus can spread automatically across your network and to removable drives, typically creating an program file in the root folder with a filename such as:
Beebone/Vobfus samples change very frequently, so this is what is known as a polymorphic, or shape-shifting, threat.
For example, when the malware copies itself across your network, the destination files are modified during the copy.
The copied programs will have the same behavior as the original, but using a different sequence of program instructions so that no two files are byte-for-byte identical.
(My colleague Paul Ducklin provides an example: Mr. Paul Ducklin and DUCKLIN, PAUL refer to the same person, yet the two text strings are different.)
Of course, if one of those mutated copies is run, it will, in turn, create a whole raft of newly modified copies in turn.
Indeed, the malware changes so often that there are now over 5 million unique samples, according to EC3.
The idea of this sort of self-modification is to defeat naive malware checking systems that rely on a list of known-bad files.
Products like Sophos Anti-Virus, however, are able to detect polymorphic malware without needing to enumerate every possible file that might be produced.
Analysing a program before it runs to see how it would behave allows you to identify polymorphic malware generically; if that fails, monitoring what a program does when it runs gives you a second chance to identify and block malicious behavior.
What to do?
You can check your computer to see if it’s infected with Beebone/Vobfus, and quickly remove the malware, using the Sophos Free Virus Removal Tool.
Note. Sophos products block the malware described in this article with a wide array of sample names, including Mal/SillyFDC-*, Troj/Vb-FWD, Mal/VBCheMan-*, HPmal/OSMod-A, Mal/Vobfus-* and Troj/Paskod-A.
Learn more about botnets
Hear all about botnets from Sophos experts and Naked Security writers Paul Ducklin and James Wyke in our Techknow podcast entitled Understanding Botnets. They explain, in plain English, the what, why and how of bots, botnets and cybercrime.
(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)
Free Virus Removal Tool
The Sophos Free Virus Removal Tool works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.
Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.
Image of bumblebee pattern courtesy of Kenshi991 / Shutterstock.com.
2 comments on “Buh-bye Beebone! Law enforcement kills polymorphic virus-spreading botnet”
John Zorabedian wrote “Analysing a program before it runs to see how it would behave allows you to identify polymorphic malware generically; if that fails, monitoring what a program does when it runs gives you a second chance to identify and block malicious behavior.”
Umm, John, didn’t Alan Turing show that this is impossible via his proof in 1936 that the Halting problem is undecidable?
“On Computable Numbers, with an Application to the Entscheidungsproblem.”
We aren’t offering you a certainty here, precisely because of the Halting problem. In fact, John was perfectly frank about the fact that pre-execution analysis sometimes won’t work, because he explicitly wrote, “if that fails…”
Indeed, Turing’s result says that anyone who promises you a 100% accurate anti-virus, no updates required, is lying. But Turing’s result doesn’t say that you are inevitably going to be 0% accurate, either.
The point here is that if you identify malware by matching a specific file against a giant list of already-known files, you won’t detect polymorphic viruses generically. But if you dissect a program and attempt to evaluate its run-time behaviour in advance, for example using emulation, you will often (though provably not always) be able to identify that a program is dodgy, even if it has gone out of its way to disguise its true nature.
There’s no reason not to maintain a giant list of known-bad files, by the way. (Or a list of known-good ones, too.) Such lists can be very helpful, especially when you keep seeing the same file over and over again, and want to see what you thought of it last time it came in.
But polymorphic viruses were invented back in the late 1980s for precisely the purpose of ensuring that relying *only* on a list of known-bad files, or a list of specific “anti-virus code signatures”, would be inadequate.