Beebone Be Gone!

ITC TOTW 111 ImageThere’s been a lot of media attention this week over the ‘Beebone Botnet’ that’s been completely taken offline as the result of a joint action between Europol, the FBI and a few big-name security firms (See here for the detail).

Beebone’s purpose in life was to be a downloader or ‘dropper’ for other Malware (The UPS or DHL of the Malware world, if you will), so cutting this one off at the knees should slightly reduce new infections of things like Cryptolocker and Cutwail – at least until the bad guys shift to a new delivery mechanism. Sadly Beebone was a pretty small player, so it’s unlikely we’re going to see any dramatic shifts.

Although quite a tricky piece of malware to be sure – it’s also not quite as advanced as the breathless Europol press release would have you believe. There’s some attention lauded on the polymorphic capabilities, which sound impressive but really only means the malware updates itself dynamically to avoid signature based antivirus. Around 80% of modern malware uses this trick, so nothing unique about Beebone in this regard (and it’s exactly why people tend to claim that signature based AV is pretty much dead).

So whilst the takedown in and of itself will likely have a negligible impact to the sum total of threats most organisations face, the more promising aspect is that this is the second successful joint action between police and the IT security industry in as many months (the RAMNIT takedown being another Europol action). We can only hope this bodes well for more frequent and larger scale takedown operations in the future.

If you’re curious exactly how Beebone was broken – it relies on the fact that the malware used a ‘Domain Generation Algorithm’ (DGA) to talk back to its Command and Control servers – another increasingly common malware trait. DGAs are typically quite simple bits of code that generate a long list of random domain names on a daily basis. Hard to keep track of and hard to block, the criminals have the upper hand as they will only need to register a single one of these thousands of potential domains for the malware to be able to phone home for instructions – it’s like finding a needle in a haystack for those defending the network.

Europol and friends were able to stop Beebone by reverse engineering the DGA and then predicting all the possible domain names for a given day and bulk-seizing them at just the right time so that the botnet simply couldn’t talk home (known as sinkholing).

At ITC, our NetSure360° Security Service can help you stay ahead of these kinds of malware threats (and many others). We currently track around 250,000 ever-changing malware DGA domains and will immediately alert our customers should any of their machines start to talk to the bad guys.

If you want to know more about this or the other security services we offer then don’t hesitate to get in touch –[email protected] or 020 7517 3900.