When Europol helped coordinate the April takedown of the Beebone botnet, information security expert Raj Samani - who assisted with the takedown - says everyone involved in the operation estimated that the polymorphic botnet was composed of about 12,000 infected systems, and that the majority were based in the United States.
"But actually, what we realized was the number of infected hosts were way higher. In fact, we're seeing in our sinkhole somewhere between 30,000 to 40,000 unique infections per day. So, it's way bigger than we initially thought, but the remediation is the painful part now," says Samani, who is the Europe, Middle East and Africa chief technology officer for Intel Security - formerly known as McAfee. To date, there's been about a 10 percent reduction in the number of infected hosts, from 37,000 to 33,000. But based on updated attack telemetry, researchers also found that the majority of infected botnet nodes are located in Iran, followed by Peru, neither of which is typically a hotbed of cybercrime or botnet infections.
The Beebone botnet - a.k.a. AAEH - is a polymorphic downloader, used by attackers to infect a PC and then install additional malware. The botnet is now being sinkholed, meaning that all related sites that were registered by attackers have been suspended, domain names seized, and data redirected to sites controlled by security experts. Related lists of infected IP addresses have also been distributed to Internet Service Providers and national Computer Emergency Response Teams, to warn victims and urge them to disinfect their PC.
In an interview recorded at Infosecurity Europe - where Samani is delivering a keynote devoted to critical-infrastructure security concerns - he also details:
- What happens after law enforcement agencies launch a botnet takedown;
- The need to reach and educate new markets with malware-related information;
- How to battle online attacks that cross borders.
Samani is Intel Security's vice president and EMEA chief technical officer. He's also a cybersecurity adviser to Europol's European Cybercrime Center - EC3 - and the chief innovation officer for the Cloud Security Alliance. He has previously worked at the U.K. chapter of the Information Systems Security Association, consultancies CapGemini and Deloitte, and technology vendor Qualys.