When is it fair to deem a botnet "complex"? Well, I think it's fair to label it as such when it requires a collection of cybercrime fighters from the US and Europe to ultimately give it its final blow.
Here's some context: "On 8 April, Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), joined forces with the Dutch authorities and the FBI, and U.S-based representatives at the National Cyber Investigative Joint Task Force- International Cyber Crime Coordination Cell (IC4) along with private sector partners, to target the Beebone (also known as AAEH) botnet".
That sure is a mouthful. From a technological standpoint, the Beebone botnet is rather fascinating, and the fact that it required so much effort to take down helps prove that.
There are two major reasons why Beebone was so hard to dismantle. For starters, it consisted of two separate pieces of malware that regularly downloaded the other in the event that one was removed. Why this makes any sense is because the malware had a shape-shifting design, sometimes changing its appearance up to 19 times per day.
Ultimately, the botnet was sunk because the domain names it used to spread and update itself were seized. Had the malware used a static IP, it would have been discovered much more easily; because it used a domain name the IP it linked to could be regularly updated - probably automatically.
The fact that mere domain name seizures is what took down an entire botnet is pretty humorous to me, but it also goes to show just how complex Beebone was to persist so long before those domain names were discovered.
It's said that ISPs are being notified with the data gathered, so anyone still infected with this now benign malware should be receiving a notice from their ISP in the future about it.