Beebone Botnet Taken Down By Another Security Team-Up

Small in scale, but high in sophistication, the Beebone botnet and polymorphic downloader is disrupted by an international, public-private effort.

Sara Peters, Senior Editor

April 9, 2015

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Another botnet came crashing down (at least temporarily) yesterday, as a result of an international, public-private collaboration. The effort, led by the Dutch National High-Tech Crime Unit, disrupted Beebone (a.k.a. AAEH) -- a botnet that's small in scale but high in sophistication, based upon a polymorphic downloader that installs a variety of other malware on victim machines, including rootkits and ransomware.

"Operation Source" followed the same model established by "Operation Tovar," which took down the Gameover ZeuS botnet in June. All of the Beebone botnet's domain names were seized and all traffic redirected. The data was distributed to ISPs and CERTs, which could thereby help identify infected machines and help victims remove Beebone -- and the other malware it installed -- from their systems.

Also, like Tovar and recent operations that disrupted Shylock and Hikit, Operation Source tapped the resources of a wide variety of organizations. In addition to the Dutch National High-Tech Crime Unit, agents from the FBI, Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce, and the National Cyber Investigative Joint Task Force worked on the effort. The private sector helped, too, with researchers from Intel Security, Kaspersky Labs, and Shadowserver providing support.

What makes this case a bit different is that Beebone isn't nearly as widespread as some of the prior targets. Although Europol's announcement today states, "it is likely there are many more," the estimate is that there are only about 12,000 Windows client and server machines infected with Beebone (most of which are in the United States).

"The botnet does not seem the most widespread," the release states, "however the malware is a very sophisticated one."

Beebone is polymorphic -- meaning it has the ability to change its form with every infection. In fact, once it's installed, it morphs every few hours. Even though there are only about 12,000 machines infected with the malware, there are over 5 million unique samples of it. This makes it nearly impossible for signature-based anti-virus to block it. Plus, Beebone terminates connections to the IP addresses of security companies and disables tools that try to terminate it. 

The malware also spreads like a worm. (Intel's name for it is W32/Worm-AAEH.) It propagates across networks, via removable drives, and through ZIP and RAR archive files. 

Once it's there, it's hard to get rid of, and serves as an easy delivery system for other malware with a variety of more vicious payloads. Beebone has downloaded rootkits (including ZeuS and ZeroAccess), ransomware (including CryptoLocker), password stealers (including ZBot), and fake anti-virus. 

About the Author

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights