SINGAPORE, 5 December 2017 – Security
researchers at ESET, in collaboration with Microsoft and law enforcement
agencies – the Federal Bureau of Investigation (FBI), Interpol, Europol, and
other stakeholders in cybersecurity – have today taken down a major botnet
operation known as Gamarue (detected by ESET as
Win32/TrojanDownloader.Wauchos), which has been infecting victims since
2011.
researchers at ESET, in collaboration with Microsoft and law enforcement
agencies – the Federal Bureau of Investigation (FBI), Interpol, Europol, and
other stakeholders in cybersecurity – have today taken down a major botnet
operation known as Gamarue (detected by ESET as
Win32/TrojanDownloader.Wauchos), which has been infecting victims since
2011.
A coordinated take-down started
on November 29th, 2017 and as a result of this joint effort, law enforcement
agencies across the globe were able to make an arrest and obstruct activity of
the malware family responsible for infecting more than 1.1 million systems per
month.
on November 29th, 2017 and as a result of this joint effort, law enforcement
agencies across the globe were able to make an arrest and obstruct activity of
the malware family responsible for infecting more than 1.1 million systems per
month.
ESET and Microsoft researchers
shared technical analysis, statistical information, and known command control
(C&C) servers’ domains to help disrupt the malicious activity of the group.
ESET also shared its historical knowledge of Gamarue, gained from the continual
monitoring of the malware and its impact on users over the past few years.
shared technical analysis, statistical information, and known command control
(C&C) servers’ domains to help disrupt the malicious activity of the group.
ESET also shared its historical knowledge of Gamarue, gained from the continual
monitoring of the malware and its impact on users over the past few years.
What is Gamarue?
Created by cybercriminals in
September 2011, and sold as a crime-kit on the Dark Web in underground forums,
the purpose of the Gamarue family was to steal credentials and to download and
install additional malware onto users’ systems.
September 2011, and sold as a crime-kit on the Dark Web in underground forums,
the purpose of the Gamarue family was to steal credentials and to download and
install additional malware onto users’ systems.
This malware family is a
customizable bot, which allows the owner to create and use custom plugins. One
such plugin allows the cybercriminal to steal content entered by users in web
forms while another enables criminals to connect back and control compromised
systems.
customizable bot, which allows the owner to create and use custom plugins. One
such plugin allows the cybercriminal to steal content entered by users in web
forms while another enables criminals to connect back and control compromised
systems.
Its popularity has resulted in a
number of independent Gamarue botnets in the wild. In fact, ESET found that its
samples have been distributed across the globe through social media, instant
messaging, removable media, spam, and exploit kits.
number of independent Gamarue botnets in the wild. In fact, ESET found that its
samples have been distributed across the globe through social media, instant
messaging, removable media, spam, and exploit kits.
How did ESET and Microsoft
researchers gather intelligence?
researchers gather intelligence?
Using ESET Threat Intelligence
service, ESET researchers were able to build a bot that could communicate with
the threat’s C&C server. Consequently, ESET and Microsoft were able to
closely track Gamarue’s botnets for the past year and a half, identifying their
C&C servers for takedown and monitoring what was installed on victims’
systems. The two companies have since compiled a list of all of the domains
used by the cybercriminals as C&C servers.
service, ESET researchers were able to build a bot that could communicate with
the threat’s C&C server. Consequently, ESET and Microsoft were able to
closely track Gamarue’s botnets for the past year and a half, identifying their
C&C servers for takedown and monitoring what was installed on victims’
systems. The two companies have since compiled a list of all of the domains
used by the cybercriminals as C&C servers.
“In the
past, Wauchos has been the most detected malware family amongst ESET users, so
when we were approached by Microsoft to take part in a joint disruption effort
against it, to better protect our users and the general public at large, it was
a no-brainer to agree,” said Jean-Ian Boutin, Senior Malware
Researcher at ESET. “This particular threat has been around for
several years now and it is constantly reinventing itself – which can make it
hard to monitor. But by using ESET Threat Intelligence and by working
collaboratively with Microsoft researchers, we have been able to keep track of
changes in the malware’s behavior and consequently provide actionable data
which has proven invaluable in these takedown efforts.”
past, Wauchos has been the most detected malware family amongst ESET users, so
when we were approached by Microsoft to take part in a joint disruption effort
against it, to better protect our users and the general public at large, it was
a no-brainer to agree,” said Jean-Ian Boutin, Senior Malware
Researcher at ESET. “This particular threat has been around for
several years now and it is constantly reinventing itself – which can make it
hard to monitor. But by using ESET Threat Intelligence and by working
collaboratively with Microsoft researchers, we have been able to keep track of
changes in the malware’s behavior and consequently provide actionable data
which has proven invaluable in these takedown efforts.”
What should users do if
they suspect their systems have been compromised?
they suspect their systems have been compromised?
Cybercriminals have traditionally
used Gamarue to target home users to steal credentials from websites through
its form grabber plugin. However, ESET researchers have recently seen the
malware being used to install various spam bots onto compromised machines in a
so-called pay-per-install scheme.
used Gamarue to target home users to steal credentials from websites through
its form grabber plugin. However, ESET researchers have recently seen the
malware being used to install various spam bots onto compromised machines in a
so-called pay-per-install scheme.
ESET is advising users that fear their Windows system might be
compromised to download and use the ESET Online Scanner, which
will remove any threats, including Gamarue, found on the system. To learn about
a more complex way to protect your devices from botnets, please visit ESET’s dedicated site.
compromised to download and use the ESET Online Scanner, which
will remove any threats, including Gamarue, found on the system. To learn about
a more complex way to protect your devices from botnets, please visit ESET’s dedicated site.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
