Posted by Kevin on April 9, 2015.
EU and US crimefighters have announced today that, in conjunction with Intel Security, Kaspersky and Shadowserver from the private sector, they have taken down the Beebone botnet (also known as the AAEH botnet).
I would normally say that such statements are a bit of an exaggeration. Usually the most that can normally be claimed is that the botnet has been disrupted. In this case, however (provided that Europol is not telling porkies), we can confidently say that this instance of this botnet has indeed been ‘taken down’:
The botnet was ‘sinkholed’ by registering, suspending or seizing all domain names with which the malware could communicate and traffic was then redirected. Data will be distributed to the ISPs (Internet Service Providers) and CERTs (Computer Emergency Response Teams) around the world, in order to inform the victims.
Notice the use of the word ‘all’. If this is true, then this botnet is kaput.
But not forever. The code is still out there. And so are the perpetrators (for now at least). So unless a parallel action is closing fast on the criminals themselves, the botnet will return.
But the crimefighters are learning. When the Dutch police ‘took down’ the Bredo botnet in 2010, they ‘infected’ every bot communicating with the servers with their own warning malware. Strictly speaking they almost certainly broke European laws. (See Dutch Police infect users with trojan – legal or illegal; good thing or bad thing?).
They’re not doing it this time. They’re taking the far more appropriate use of informing ISPs and CERTs and allowing them to inform the users that they’ve been infected.Submitted in: News, News_malware |