Andromeda Botnet Malware Not Fully Dismantled in International Cyber Operation Last Year
TEHRAN (Tasnim) - Traces of the Andromeda botnet can still be found on many PCs, despite being the subject of an international takedown operation in November last year,
The Andromeda botnet was associated with 80 different malware families and grew so large that it was at one point infecting a million new machines a month, distributing itself via social media, instant messaging, spam emails, exploit kits, and more.
The operation was finally taken down in by the FBI, Europol's European Cybercrime centre (EC3) and others in December last year -- but many PCs are still infected.
"We're continuing to see hits on the Andromeda botnet. What that means is the governments have actually brought down the C&Cs which manage the infrastructure, but on the endpoints, that stuff still hasn't actually been cleaned up," Anthony Giandomenico, senior security strategist at Fortinet told ZDNet.
Fortinet's research suggests that one in ten organisations around world have machines which contain traces of the Andromeda botnet. Asia and the Middle East are the most likely to be impacted, with the botnet eight times more prevalent in these regions than they are in Europe.
The infected Windows computers can't actually retrieve or carry out commands for the botnet anymore, but still contain traces of the botnet malware.
A lack of awareness or monitoring of the networks is likely to be the reason the machines roped into the Andromeda botnet still haven't been discovered -- especially if they can now longer cause any specific harm.
Botnets gather computers into a network which can be used for performing DDoS attacks, delivering malware and more.
Fortinet's report points out Smominru as one of the more notable botnet additions of recent times. This cryptocurrency miner has rapidly expanded its network in the first half of the year, helped along by exploiting EternalBlue, the Windows vulnerability which made WannaCry ransomware so potent.
In order to combat the threat of botnets -- even 'dead' ones like Andromeda, organisations need to be more proactive with their security procedure.
"What these organisations need to do is to define what their incident response processes are. The first simple step is having somebody monitor your firewalls, your intrusion prevention system, look for different types of alerts that are triggering," said Giandomenico.
"That information is going to tell you what machines are triggering on those things, then you can do to those machines and start your cleanup process," he added.