Law enforcement has dismantled the Andromeda malware family, which has been infecting computers since 2011. With the help of partners—including the FBI, Microsoft, and others—Europol intercepted the internet traffic between Andromeda-infected computers and the command servers to which the malware was communicating. All that traffic was then “sinkholed” and redirected to servers under the investigators’ control, giving law enforcement a detailed view of the malware’s activities. “According to Microsoft, during 48 hours of sinkholing, approximately 2 million unique Andromeda victim IP addresses from 223 countries were captured,” Europol said.
Andromeda infections happened through attachments from spam email campaigns, tainted downloads from bootleg media websites, and through exploit kits running over hacked websites, according to security firm Avast. Once a computer was infected, Andromeda also acted as a keylogger or a form grabber to steal user IDs and passwords. In addition, it could remotely take control over a PC.
“Andromeda was also sometimes used to download up to 80 other malware families onto infected victim computers,” according to The Shadowserver Foundation, a group of security experts that also helped dismantle the Andromeda botnet.
The main targets of the malware include North America, Asia, and Romania, among others.
Security firm ESET has a free tool that anyone can use to check if they have Andromeda (also known as Wauchos) secretly running on their computer. Systems found infected with Andromeda tend to contain other malware, according to security researchers.
ESET also noted that Andromeda was sold to cyber criminals in underground internet forums. “There is always a possibility that someone will reuse the Andromeda kit to build a new botnet,” the company said in an email.
For the original content, please visit: