Takedown! McAfee Labs Stops Beebone Polymorphic Botnet

Yesterday, April 8th, Intel Security’s McAfee Labs played a leading role in Operation Source, a global law enforcement collaboration that successfully dismantled the polymorphic botnet known as Beebone or AAEH. By spreading the downloader worm known as W32/Worm-AAEH, Beebone facilitated the download of a variety of malware, including ZBot banking password stealers, Necurs and ZeroAccess rootkits, Cutwail Spambots, Fake anti-virus and ransomware. W32/Worm-AAEH includes worm-like functionality to spread quickly to new machines, and contains a cyclic update routine to replace itself with newer versions to increase likelihood of remaining undetected by anti-virus software. During its peak in July/August 2014, it updated itself with newer variants up to multiple times a day.

Intel Security is aware of more than 5 million unique AAEH samples, distributed primarily across the US, Japan, India, Taiwan, Germany, and the UK.

At one of its operational peaks in September 2014, more than 100,000 infections of the Beebone botnet were detected by the McAfee Labs team. At the last recording of infection rates in March 2015, McAfee Labs detected 12,000 live infections. As this figure included only telemetry from Intel Security, we suspect this was likely to be much higher.

The operation has been led by the Joint Cyber Action Taskforce (J-CAT), located at Europol’s headquarters, a cooperation between EC3, most EU Member States and law enforcement partners around the world. Combining resources, the J-CAT is an effective multilateral platform in the fight against cybercrime. The J-CAT works together with public- and private entities and academia on a very operational level, in order to identify and mitigate the biggest cyber threats around the world, and apprehending the persons responsible for them.

The takedown of AAEH is the result of a close cooperation between a Dutch-led J-CAT-operation and Intel Security and several other operational partners. Combining investigative and technical skills, as well as sharing information and experiences, led to the recent destruction of the botnet.

Of course dismantling the communications infrastructure is only part of the response, with the remediation of infected systems a critical step in the dismantling of a botnet.  This is made particularly more difficult with the evasive steps taken by the botnet regarding clean-up.  Not only were we faced with multiple DGA refreshes (Domain Generation Algorithm), but also the botnet actively blocks connections to Anti-Virus vendor websites (including our own).

Further detail on AAEH will be provided in an upcoming white paper, however it is important to recognise the efforts of all parties in this operation.  Particularly, the team at the Dutch High Tech Crime Unit that led law enforcement efforts, who were supported by their U.S. counterparts including the FBI.  In terms of private sector support, in addition to the sterling efforts of our own McAfee Labs team, we are indebted to Kaspersky Lab for their analysis and F-Secure for the development of a removal tool for infected systems.

Please note, as the malware blocks connections to AV companies, those infected may have difficulty following links to download the removal tools.  As a result the team at ShadowServer whose support was critical to this operation have made a webpage available where these tools can be directly downloaded.


You have often seen and heard us at Intel Security discuss the importance of Public-Private Partnerships most recently with the recent MoU between us and EC3.  This operation is further evidence that only a combined response is capable of slowing down the every growing menace of cybercrime.

The post Takedown! McAfee Labs Stops Beebone Polymorphic Botnet appeared first on McAfee.