Cyber police in France have freed over 850,000 computers from a botnet. The computers, located in over 100 countries, were infected by the Retadup worm. It was spread through malicious email attachments. Details of the takedown and a technical breakdown of Retadup were published in a blog from Jan Vojtěšek at Avast.
Acting on intelligence provided by computer security company Avast, France’s C3N (Cyber N’tech) identified and located the Command & Control (C&C) server which was based in Paris. C3N took control of the server and replaced it with their own. That server contained code that caused the virus to self destruct. Over 850,000 computers are no longer infected. At the same time, the self destruct mechanism means that the machines cannot simply be reacquired by another attacker.
The C3N also worked with the FBI as the Retadup creators had located some of their C&C infrastructure in the US. The FBI took those servers down at the same time at the C3N took control of the server in Paris.
What is Retadup?
Retadup is a piece of malicious code that has been around sine 2017. It started life as a Trojan which collected data from the local machine. As it spread, several companies offered “disinfection” code that removed different versions of the code.
In 2018, Trend micro reported that they had seen a major update to the Retadup code. It had acquired the ability to change how it looked to anti-virus programmes. This made it much harder to find and disinfect. It also meant that previous disinfection code was far less effective.
While the evolution to being a polymorphic malware was a big step, Retadup also changed its behaviour. It became more aggressive in how it spread from computer to computer. It also installed cryptomining software on infected machines. This enabled attackers to generate Monero, a cryptocurrency.
Retadup was distributing more than cryptomining software. It has also spread the HoudRAT. The researchers at Avast noted that: “HoudRat is just a more feature-rich and less prevalent variant of Retadup. HoudRat is capable of executing arbitrary commands, logging keystrokes, taking screenshots, stealing passwords, downloading arbitrary files and more.”
There are also reports that Retadup also distributed ransomware and other malware. This is in line with many botnets where the owners will rent them out to spread different attacks. Surprisingly, there is no evidence yet that the Retadup botnet was used in any distributed denial of service (DDoS) attack.
Irony is a cruel mistress
In a moment of irony, Vojtěšek writes: “All of the executable files on the server were infected with the Neshta fileinfector. The authors of Retadup accidentally infected themselves with another malware strain. This only proves a point that we have been trying to make – in good humor – for a long time: malware authors should use robust antivirus protection.”
Vojtěšek even went as far as to say: “They also could have used our free Neshta removal tool.”
Enterprise Times: What does this mean
Much of the attention on botnets in recent years has focused on large numbers of infected IoT devices. It is easy to forget that botnets will infect anything given the chance. Botnet creators are keen to spread their attacks over as much of the Internet as possible. In this case, they had amassed a not inconsiderable botnet of over 850,000 machines.
However, amassing and keeping a botnet are two different things. The detailed breakdown of Retadup shows a number of mistakes and even arrogance from its creators. They taunted law enforcement over their work bringing attention to themselves. The C&C protocol had a design flaw which allowed it to be taken over. That could have been used to disable the botnet at any point. Additionally, there is the irony that the creators managed to get infected by another piece of malware.
As the number of devices connected to the Internet continues to skyrocket, so will the number of botnets. Organisations need to focus their efforts not just on protecting core assets but also protecting their staff. Helping their staff secure their personal devices and homes is a first step. Providing education and tools might seem an extra cost business doesn’t want to have. However, it should be seen as an investment. Better educated staff are more likely to make less mistakes and therefore keep the enterprise safer as a result.
For now, chalk one up for law enforcement. The fact that nobody has been arrested means that we could see the return of Retadup in the future.
