As the Andromeda botnet gets dismantled, another steps forward to take over the job of infecting IoT devices.
Law enforcement agencies around the world have claimed a breakthrough in taking down one of the biggest botnets to affect IoT devices.
The Andromeda botnet was defeated by a joint cyber security taskforce, made up of personnel from the US Federal Bureau of Investigation (FBI), Germany’s Luneburg Central Criminal Investigation Inspectorate, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and a number of private-sector partners.
According to a public statement from Europol, hackers behind the botnet created a network of as many as 2 million infected computers and used it to distribute other malware families. The malware spread so quickly that the agencies had to track down and block over one million infected machines every month.
Europol said that the malware was also used in the Avalanche network, which was dismantled in a huge international cyber operation in 2016. Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and used in the investigations to dismantle the Andromeda malware.
Sinkholing approach used
Law enforcement agencies took action against servers and domains, which were used to spread the Andromeda malware. Overall, 1,500 domains of the malicious software were dealt with through ‘sinkholing’, whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company.
According to Microsoft, during 48 hours of sinkholing, approximately 2 million unique Andromeda victim IP addresses from 223 countries were captured. The involved law enforcement authorities also executed the search and arrest of a suspect in Belarus.
Europol added that sinkhole measures used in the Avalanche case have been extended by another year. This was necessary, it added, as globally 55 percent of the computer systems originally infected in Avalanche are still infected today.
Satori IoT botnet gathers momentum
The work never stops, however. With one botnet tackled, security researchers have warned that another is quickly emerging.
According to a blog post from IT security company Qihoo Netlab, a new variant of Mirai called Satori has started to propagate. This new variant can boast two significant differences from other known Mirai variants.
First, the bot itself doesn’t rely on separate loader and scanner mechanisms to perform remote planting; instead, the bot itself performs the scan activity. “This worm-like behaviour is quite significant,” said researchers.
Second, two new exploits, which work on port 37215 and 52869 have been added to the malware, with a different exploit for each port. “Due to the worm-like behaviour, we all should be on the look-out for port 37215 and 52869 scan traffic,” they advised.