“Operation Source” scored a win for the home team yesterday by taking down the AAEH botnet (also known as Beebone). This multi-organization effort (see the full list of organizations below) resulted in the domains associated with the botnet being sinkholed. This effort provides a window of time for the infection to be cleaned up before it receives new marching orders.
You can read more about the malware associated with this network in the US-CERT post or in the press release from Europol. In this post we’re going to take a deeper look at the infrastructure of this botnet and how it has evolved over time.
After the press release announcing the takedown, the OpenDNS security research team used the preliminary data to map the known infrastructure and compare it using our unique view of DNS traffic on the internet.
Looking at the activities of networks that were known to have requested AAEH domains provided some insights to just how widespread this network is. This pattern analysis uncovered new domains that were not initially suspect and expanded the discovered area of the botnet by 7.1 percent.
After sharing the specifics of that discovery with the community, it was time to start looking at how this infrastructure had evolved over time.
Our data showed the first signs of malicious activity on a domain associated with AAEH in early January of 2014. In fact, when the takedown was announced, OpenDNS had already blocked 68.8 percent of the botnet network based on other suspicious indicators.
If we take all of the historical data we have on these domains and analyze their behavior, we can to put together a crude picture of the growth of AAEH. We have enough data to reliably map 33% of the domains and provide insight on how the network grew over 446 days (from January 5, 2014 to March 27, 2015).
This chart shows what percentage growth the bot net experienced on each of these dates. It is not cumulative.
While we don’t have sufficient data to correlate the infection rates, this growth rate may be an indication of active infections. As more systems were infected and started reporting back into the infrastructure, more capacity may have been brought online.
Job Half Done
It’s easy to assume that the threat has dissipated since the infrastructure has been cut off at the knees. Unfortunately, that’s not the case. Here’s a chart of continuing, active requests to the known AAEH domains.
You can see a significant amount of active requests continuing even after Operation Source’s takedown. These requests are an indication of the number of infected machines still attempting to contact the command and control infrastructure.
The data show the raw number of continuing requests and are not a direct correlation to the number of infected devices, as a single device will make multiple requests.
Due to the takedown, these devices are now receiving a benign response, but they still need to be disinfected. The US-Cert has published links to clean up tools for various systems that can help with these efforts.
The clean up should be completed as soon as possible as inevitably the attacker will attempt to rebuild the infrastructure.
While this botnet doesn’t exhibit any particularly unique qualities, it was quite active, and the successful takedown will reduce its effectiveness significantly.
More importantly, the coordinated effort between public and private organizations shows how much of an impact the industry can have when we put aside competitive differences and work together. The success of this operation should hopefully lead to more partnerships like this one, and that is a big win for security.
- Europol’s European Cybercrime Centre (EC3)
- The Joint Cybercrime Action Taskforce (J-CAT)
- Dutch authorities
- National Cyber Investigative Joint Task Force – International Cyber Crime Coordination Cell (IC4)
- The FBI
- Intel Security