The French police have taken over and neutralised a large botnet for cryptographic currency mining. The botnet managed nearly a million infected computers.
It was the Retadup malware, writes Techcrunch. This malware infects computers and then uses processor power to minimize cryptographic currency. The malware can also be used to execute other malicious code, such as spyware or ransomware. In addition, it has wormable capabilities, allowing it to spread from computer to computer.
The malware is active worldwide, but has now been taken offline. This was done with the help of security company Avast. Avast discovered a design error in the malware’s command and control server. This made it possible to remove it from victims’ computers without having to send code to them.
Cooperation with police
However, the company’s investigators had no authority to start the operation. Because most of the malware’s infrastructure was located in France, Avast decided to contact the police there.
This was followed in July by the approval of the prosecutors, after which the police started taking over the server and disinfecting the affected computers. According to the police themselves, the botnet is one of the largest networks of compromised computers in the world.
During the operation, a snapshot of the malware’s command and control server was secretly taken with the help of the web host. The researchers then made their own replica, which cleaned up affected computers rather than causing infections.
850,000 infected computers
The police and Avast were able to clean up more than 850,000 infected computers in this way.
According to the researchers, one of the challenges was that the cybercriminals did not notice that an image was being made of their server. Had they noticed, they could have hit back.
Once they realized that we were about to take Retadup offline, they might have sent ransomware to hundreds of thousands of computers while they were trying to milk out their malware for a last bit of profit.