International Operations Take Down Beebone, Simda Botnets


In two separate operations over the past week, coordinated operations took down two botnets, Simda and Beebone.

On April 8, 2015, Europol's European Cybercrime Center (EC3), the Joint Cybercrime Action Taskforce (J-CAT), the Dutch National High Tech Crime Unit, the FBI, U.S.-based representatives at the National Cyber Investigative Joint Task Force - International Cyber Crime Coordination Cell (IC4), and private sector partners including Intel Security, Kaspersky and Shadowserver collaboratively targeted the Beebone botnet, also known as AAEH, which has installed various forms of malware on at least 12,000 computers.

"The botnet was 'sinkholed' by registering, suspending or seizing all domain names with which the malware could communicate and traffic was then redirected," Europol said in a statement. "Data will be distributed to the ISPs (Internet Service Providers) and CERTs (Computer Emergency Response Teams) around the world, in order to inform the victims."

"The botnet does not seem the most widespread, however the malware is a very sophisticated one, allowing multiple forms of malware to compromise the security of the victims’ computers," Europol added.

Malware installed by Beebone included software designed to steal banking login credentials, as well as fake anti-virus software and ransomware, according to the FBI.

"This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime," Wil van Gemert, Europol's Deputy Director of Operations, said in a statement. "We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes."

"Botnets like Beebone have victimized users worldwide, which is why a global law enforcement team approach working with the private sector is so important," Joseph Demarest, Jr., the FBI's Assistant Director for Cyber, said in a statement.

Separately, on April 9, 2015, a global operation coordinated from the Interpol Global Complex for Innovation (IGCI) in Singapore targeted the Simda botnet, which is believed to have infected more than 770,000 computers worldwide. Simda was used to gain remote access to infected computers, install additional malware, and steal personal information, including banking passwords.

Approximately 90,000 new infections were detected in the U.S. in the first two months of 2015 alone.

The Interpol Digital Crime Center (IDCC) at the IGCI worked with Microsoft, Kaspersky, Trend Micro and Japan's Cyber Defense Institute to develop a heat map showing the spread of infections and the location of command and control servers.

Ten Simda command and control servers were then taken down in the Netherlands, and additional servers were taken down in the U.S. Russia, Luxembourg and Poland.

"This successful operation shows the value and need for partnerships between national and international law enforcement with private industry in the fight against the global threat of cybercrime," IDCC director Sanjay Virmani said in a statement. "This operation has dealt a significant blow to the Simda botnet, and Interpol will continue in its work to assist member countries protect their citizens from cybercriminals and to identify other emerging threats."

"Botnets are geographically distributed networks and it is usually a challenging task to take down such a thing," Kaspersky Lab principal security researcher Vitaly Kamluk said in a statement. "That’s why the collaborative effort of both private and public sectors is crucial here -- every party makes its own important contribution to the joint project."