Sign up to our newsletter
A recent operation by law enforcement authorities worldwide disrupted hundreds of sprawling botnets across the globe. The botnets, or networks of ‘bots’ that do the bidding of their masters, were powered by malware, most of which was classified by ESET researchers under the Win32/TrojanDownloader.Wauchos detection name, but also known as Gamarue or Andromeda by some other security vendors.
The international crackdown on November 29 came after a concerted effort by Microsoft and ESET researchers that ran for more than a year. ESET provided technical intelligence for the operation after tracking the botnets, identifying their command and control (C&C) servers, and keeping tabs on what those behind the threat were installing on victims’ systems. We sat down with ESET Senior Malware Researcher Jean-Ian Boutin to talk about ESET’s role in this operation, as well as about threats that botnets pose in general.
Wauchos has been around since 2011 and was available in underground forums and has thus been sold to various people. Also, its numerous features and continuing development were appealing to the cybercriminals who ended up using it for long periods.
This type of operation takes a long time. As mentioned in the blog, this effort started in 2015. It took a long time to get everything ready for a law enforcement operation. Also, there must be appropriate entities that are willing to put the necessary resources into putting an end to a botnet. Thus, the botnet must be very prevalent and cause a lot of harm to instigate an operation on this scale.
Most of the infestations we’ve seen in the past six months were in South-East Asia and South America.
Wauchos infection vectors included social media, removable media, spam and drive-by downloads. As none of these are targeting any particular group of users, pretty much every computer user clicking a link is a potential victim.
Our role in the operation was on the technical side: malware analysis and finding C&C servers used by the different Wauchos botnets. As this threat was sold in underground forums, it was important to make sure that all Wauchos C&C servers were identified and taken down simultaneously. We helped with this effort through our botnet tracker system.
The first step was to analyze the bot’s network protocol and behavior in order to include it in our botnet tracker platform. This platform can automatically analyze samples received from our clients, extract the relevant information and use this to connect directly to the malware C&C server. Through this, we can gather the relevant information for this operation automatically by analyzing the Wauchos samples reported to us by our clients.
Of course, when working on this type of operation, it is of primary importance to make sure that criminals are not aware of it. So, we tried to inform only the people who needed to know about it and to keep the sensitive information private.
Historically, Wauchos was used to steal login credentials through its form grabber plugin and install additional malware onto the infected system.
As Wauchos was bought and then distributed by a variety of cybercriminals, the infection vectors used to disseminate this threat varied greatly. Historically, Wauchos samples were distributed through social media, instant messaging, removable media, spam, and exploit kits.
As Wauchos was sold on underground forums, there were various monetization schemes. One of them was to use the form grabber plugin to steal passwords for online accounts. Another one was, for a fee, to install additional malware on the compromised machine, a wildly popular scheme amongst cybercriminals and known as ‘pay-per-install’.
They were using several C&C servers located in various locations. It is these servers that were targeted in the takedown operation.
Wauchos bots were using a recognizable network pattern when communicating with their C&C servers. This allowed us to protect our users better by adding another layer of protection: the creation of network detections to be able to recognize when a bot was trying to reach out to its C&C server.
The details of the network communication can be found in the blog. It was obtained by reverse engineering the various samples.
Yes, it was using an RC4 key embedded in the binary.
Wauchos was interfering with the operating system in many ways. Among other things, it was attempting to disable Windows Firewall, Windows Update and User Account Control functions.
As this malware family was for sale in underground forums, different cybercriminals were using different techniques, but yes, we saw samples employing anti-VM and anti-sandbox techniques.
It will probably slowly disappear as remediation is under way. For this type of long-lived botnet, it is very hard to clean all the systems that have been compromised by Wauchos, but as long as the good guys are in control of the C&C servers, at least no new harm can be done to those compromised PCs.
Depending on the malware family, it can be difficult to recognize that your computer is compromised. If you notice weird behavior from your computer such as – but not limited to – your security solution being disabled or no longer able to update itself, or if you realize that you are not receiving the normal Windows updates, malware might be the culprit. Using free tools such as ESET’s Online Scanner to scan your system can help to find and remove malware that might be causing these issues.
Most of the common malware families are using old tricks and cannot install themselves without some help from incautious users. The usual recommendations of not clicking on random links or not opening attachments coming from untrusted sources go a long way towards staying safe on the internet.
Author Tomáš Foltýn, ESET