Article Lead Image

FBI and Europol bring down ‘shapeshifting’ Beebone botnet

If you get an email from your ISP, you've been infected.


JC Sevcik


Posted on Apr 9, 2015   Updated on May 29, 2021, 2:48 am CDT

An international joint operation by several governmental cybercrime-fighting teams and private cybersecurity firms deactivated a particularly sophisticated “shapeshifting” malware Thursday, reports Help Net Security.

By rewriting its own code, the malware, known as Beebone, was able to change its identifying characteristics up to 19 times a day to avoid detection by traditional anti-virus methods.  

“Beebone is highly sophisticated. It regularly changes its unique identifier, downloading a new version of itself, and can detect when it is being isolated, studied, or attacked,” Intel Security’s chief technology officer Raj Samani told the BBC. “It can successfully block attempts to kill it.”

Criminals used the Beebone malware to force victims’ computers to download other malicious software, such as “password stealers, ransomware, rootkits, and programs designed to take down legitimate websites,” as the BBC described it.

Beebone peaked at controlling 100,000 computers a day. While the malware wasn’t particularly widespread as viruses go, experts say the sophistication of the software represents a leap forward for cybercriminals.

“In terms of size this is obviously small, but in terms of sophistication, we’re talking about an investment by the criminals,” Samani told the Associated Press.

The Joint Cybercrime Action Taskforce (J-CAT) is an international cooperative initiated by Europol’s European Cybercrime Centre (EC3), the EU Cybercrime Taskforce, the Federal Bureau of Investigation, and the NCA and hosted by EC3 at Europol. Established in September of last year, J-CAT coordinates international investigations to combat cybercrime threats.

J-CAT worked in concert with the FBI and private security firms Intel Security, Kaspersky Labs, and Shadowserver to take down Beebone using a technique called “sinkholing.”

Sinkholing is the process of intercepting traffic from specific IP addresses controlled by cybercriminals and redirecting it to sites controlled by authorities, thereby suspending communication between the malware and its creators. As most of the sites used by the criminals were under U.S. jurisdiction, the FBI assisted in sinkholing almost 100 domains.

Now authorities are asking anyone affected by Beebone to clean up their computers. Security vendors F-Secure, TrendMicro, Symantec, and Intel Security have all created a free tool to remove the malware.

How do you know if you’ve been Beeboned? Samali says victims will be notified by their ISPs.

“This is yet another great example of how Europol’s EC3 is enabling effecting cooperation between law enforcement agencies in different jurisdictions in tackling cybercrime strengths,” Brian Honan, Special Advisor on Internet Security to Europol’s EC3, told Help Net Security.

“It also shows how effective Europol’s EC3 has been in working with private industry to identify and disrupt the infrastructure criminals rely on,” he added. “It is also welcoming to see the inclusion of ISPs and CERTs in the clean-up operation post the botnet takedown.”

Despite bringing down the botnet—a network of commandeered computers used to distribute malware, launch attacks, drain bank accounts, and do other dastardly bidding—no cybercriminals were apprehended by authorities in the operation against Beebone.

But Honan reminds readers it’s “important to note that disrupting the operations and cash flow of criminal gangs can be an effective tactic.”

“Botnet takedowns also sends a clear message to criminals that they are not invulnerable, and that law enforcement are increasingly developing their capabilities in this area to detect, disrupt, and to detain those involved in online crime,” Honan said. 

H/T BBC | Photo via Fernando Alfonso III

Share this article
*First Published: Apr 9, 2015, 7:02 pm CDT