Published 06 Sep 2019

A team of French police officers specialising in cybersecurity has managed to close down a botnet that was created after a virus spread through over 850,000 computers worldwide.

After identifying a server in Paris that was controlling the botnet, the officers succeeded in cleansing numerous affected computers around the world.

The story began in the spring when the C3N, France’s centre for combatting digital crime, was tipped off by an anti-virus firm that a server in the country was attempting to spread a virus called Retadup to hundreds of thousands of computers running on Microsoft Windows. The virus was primarily spread through emails presenting easy ways to make money, or offering erotic content. Attached USB drives could also be infected and used to spread the virus to other devices. While computers in more than a hundred countries were affected, the majority of these were located in Central and South America.

Once the virus took control of these computers, most were set to work generating a cryptocurrency called Monero without the computer owner’s knowledge or consent. In more sinister cases, however, the Retadup virus was seen installing the STOP ransomware, which encrypts users’ files and demands a ransom in return for a decryption tool. The Arkei password stealer was also observed being delivered. Data was even stolen from hospitals in Israel.

On analysing the Retadup virus, it became clear that its fairly simple command and control (C&C) protocol could offer the opportunity to disinfect affected computers if control could be exerted over the server. Ironically, an analysis of the C&C server revealed that it had also been affected by a different form of malware. While the French Gendarmerie consulted the prosecutor about performing a mass disinfection, great care was taken to avoid alerting Retadup’s authors out of fear of panicking them into replacing the cryptocurrency mining software, which was earning them a steady passive income, with something more destructive, such as ransomware.

The French prosecutor consented to the mass disinfection in July, giving the C3N the legal right to proceed. A duplicate C&C server was prepared in advance, and when it was swapped with the malicious server, thousands of infected computers connected to seek commands within seconds. Instead of receiving the usual commands, however, the Retadup virus was instructed to self-destruct, effectively disinfecting them from the virus.

The FBI also cooperated in taking down parts of the C&C infrastructure in the United States. The malware’s authors then had no control over their bot network as the disinfection server continued its job of cleansing affected computers. This server was also kept running to ensure that computers that had not been online recently could also be cleansed.

As was the case with the Retadup virus, the human element is often exploited to allow malware into network systems. As part of our network management services, we at Pro-Networks can provide self-awareness training for your staff, so they will be able to adopt better practices and identify possible threats to your cybersecurity. We can also help you mitigate threats through technologies like firewalls, threat monitoring, and anti-malware and anti-virus systems.


Large spike in conversation-hijack...

New file-less backdoor found

New loader deploys six forms of mal...