The infamous and particularly dangerous Beebone botnet has finally been taken out of action following a joint initiative between Europol and the FBI. The Beebone botnet was believed to be controlling well over 100,000 computers late last year, and while many of the botnet infections have since been cleaned, around 12,000 computers are still believed to be infected with the malware.

Beebone botnet used to infect computers with malware

The botnet may have been relatively small, only involving around 12K computers, but it was particularly nasty. It was used to download other malware onto the computers, including password stealers, rootkits, fake security software and a host of other malicious programs. Any computer fallen victim to Beebone is therefore likely to be infected with a wide range of other malware.

The Beebone botnet proved difficult to locate

The Joint Cybercrime Action Taskforce of Europol struggled to locate the servers used for the Beebone botnet. Part of the reason was the software being used was particularly effective at avoiding detection. The polymorphic software was able to reconfigure itself frequently making it incredibly difficult to track down. Traditional signature detection methods of botnet identification were ineffective since the software was able to change its signature up to 19 times per day.

Beebone was also able to determine when it was under attack. When it detected it was being isolated or studied, it triggered a change in its unique identifier. The Beebone botnet was one of the most sophisticated ever seen.

Operation Beebone sinkholes almost 100 domains

The key to shutting down the botnet was to interfere with its ability to communicate with its command and control servers. Hacker’s instructions were thus prevented from reaching the software. In order to shut it down, the Joint Cybercrime Action Taskforce and the FBI enlisted the help of Intel Security, Shadowserver, and Kaspersky Lab and the joint operation was finally successful.

Once the malware had been isolated, the Joint Cybercrime Action Taskforce was able to identify and sinkhole around 100 domains used to communicate with the malware.

Unfortunately, while the botnet is believed to have been effectively shut down, this is only a temporary fix. Domains have been sinkholed but this is only a short-term solution. Any computer that has been infected must now be cleaned. That means some 12,000 or so computers must have the infection removed and that process is not straightforward.

The malware removal process can now start in earnest

Removing the malware is easy. Many tools have been developed to do this. In order for an infection to be cleaned, the owner of the infected computer will need to use one of those tools. For that to happen, the owner must be aware that their computer has been infected and most do not. That means Internet Service Providers will need to notify individuals known to be infected. That process may take some time but it can now start.

It is essential that all users clean the infection. It is possible that the malware installed on their computers could be reactivated if not removed.