SINGAPORE, 5 December 2017
- Security researchers at ESET,
in collaboration with Microsoft and law enforcement agencies – the Federal
Bureau of Investigation (FBI), Interpol, Europol, and other stakeholders in
cybersecurity – have today taken down a major botnet operation known as Gamarue
(detected by ESET as Win32/TrojanDownloader.Wauchos), which has been infecting
victims since 2011.
A coordinated take-down started on November 29th, 2017 and
as a result of this joint effort, law enforcement agencies across the globe
were able to make an arrest and obstruct activity of the malware family
responsible for infecting more than 1.1 million systems per month.
ESET and Microsoft researchers shared technical analysis,
statistical information, and known command control (C&C) servers’ domains
to help disrupt the malicious activity of the group. ESET also shared its
historical knowledge of Gamarue, gained from the continual monitoring of the
malware and its impact on users over the past few years.
What is Gamarue?
Created by cybercriminals in September 2011, and sold as a
crime-kit on the Dark Web in underground forums, the purpose of the Gamarue
family was to steal credentials and to download and install additional malware
onto users’ systems.
This malware family is a customizable bot, which allows the
owner to create and use custom plugins. One such plugin allows the
cybercriminal to steal content entered by users in web forms while another
enables criminals to connect back and control compromised systems.
Its popularity has resulted in a number of independent
Gamarue botnets in the wild. In fact, ESET found that its samples have been
distributed across the globe through social media, instant messaging, removable
media, spam, and exploit kits.
How did ESET and Microsoft researchers gather intelligence?
Using ESET Threat Intelligence service, ESET researchers
were able to build a bot that could communicate with the threat’s C&C
server. Consequently, ESET and Microsoft were able to closely track Gamarue’s
botnets for the past year and a half, identifying their C&C servers for
takedown and monitoring what was installed on victims’ systems. The two
companies have since compiled a list of all of the domains used by the
cybercriminals as C&C servers.
“In the past, Wauchos has been the most detected malware
family amongst ESET users, so when we were approached by Microsoft to take part
in a joint disruption effort against it, to better protect our users and the
general public at large, it was a no-brainer to agree,” said Jean-Ian Boutin,
Senior Malware Researcher at ESET. “This particular threat has been around for
several years now and it is constantly reinventing itself – which can make it
hard to monitor. But by using ESET Threat Intelligence and by working
collaboratively with Microsoft researchers, we have been able to keep track of
changes in the malware’s behavior and consequently provide actionable data
which has proven invaluable in these takedown efforts.”
What should users do if they suspect their systems have been
Cybercriminals have traditionally used Gamarue to target
home users to steal credentials from websites through its form grabber plugin.
However, ESET researchers have recently seen the malware being used to install
various spam bots onto compromised machines in a so-called pay-per-install
ESET is advising users that fear their Windows system might
be compromised to download and use the ESET Online Scanner
, which will remove
any threats, including Gamarue, found on the system. To learn about a more
complex way to protect your devices from botnets, please visit ESET’s dedicated
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET's high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single "in-the-wild" malware without interruption since 2003. For more information visit www.eset.com
or follow us on LinkedIn, Facebook and Twitter.