Microsoft And FBI Join Forces To Dismantle Destructive Andromeda Global Botnet

Microsoft announced this week that it has teamed up with the FBI and other partners including ESET to dismantle the massive botnet called Gamarue (Andromeda). Microsoft says that it and its partners began the journey to disrupt the botnet all the way back in 2015.


A coordinated take down started on November 29, 2017 and an arrest was made. ESET wrote, "A coordinated take down started on November 29, 2017 and as a result of this joint effort, law enforcement agencies across the globe were able to make an arrest and obstruct activity of the malware family responsible for infecting more than 1.1 million systems per month."

The road to the arrest started in 2015 when the Microsoft Windows Defender research team and DCU (Microsoft Digital Crimes Unit) launched a Coordinated Malware Eradication (CME) campaign against Gamarue along with ESET. That campaign started out with in-depth research into the infrastructure of the botnet. That investigation found that there were 1,214 domains and IP addresses associated with the botnet command and control servers. There were 416 distinct botnets and 80 associated malware families.

The Gamarue botnet has been used to distribute lots of other threats including Petya and Cerber ransomware, Kasidet malware, Letic spam bot, and malware intended to steal information from infected computers including Ursnif, Carberp, and Fareit.


The image here shows the global prominence of Gamarue, it touched virtually every continent. Microsoft says that over the last six months, Gamarue was detected and blocked on nearly 1.1 million computers per month. Gamarue was notable because of its modular nature, nefarious sorts could purchase additional plugins to add more features. For instance a keylogger was offered for $150, a Formgrabber for $250, and a Teamviewer for $250 alling remote control of the victim machine.

Microsoft offers these tips to computer users to help prevent infection from Gamarue as things are swept up. It says to be cautious when opening emails and social media messages from unknown users. Microsoft also says that you need to be wary about downloading software from websites that aren't the developer itself.

Microsoft writes, "More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue."