Law enforcement agencies across the globe and members of the private sector announced today they shut down the Andromeda (Gamarue or Wauchos) botnet.

The takedown took place last Wednesday, November 29, 2017. Law enforcement organizations that participated in the takedown include the Federal Bureau of Investigation (FBI), the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), and Eurojust.

Private sector partners that also lend a big hand include the Shadowserver Foundation, Microsoft, ESET, Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI).

What is Andromeda

Andromeda (Gamarue, Wauchos) is a name used to describe a botnet (network) of computers infected with the eponymous malware.

The botnet first arrived on the scene in 2011 and continued to grow to massive numbers in recent years, according to reports from Microsoft (2015), G Data (2016), Fortinet (2016), and ESET (2017).

During all this time, Andromeda's operator used the botnet to send spam that infected new users, keeping the botnet alive, but also delivered second-stage malware to already infected users. This tactic allowed the Andromeda owner to make a profit by renting the botnet to other crooks.

According to telemetry data gathered by Microsoft, at the time it was shut down, the Andromeda botnet delivered 80 different malware families to victims during the last six months.

During that period, Microsoft says it saw an average of one million computers per month infected with the Andromeda malware.

Andromeda and Avalanche operations were connected

The date of the Andromeda takedown was not an accident. The takedown comes a year after the same group of law enforcement organizations and private sector partners took down a malware-distribution infrastructure known as Avalanche.

Avalanche was a network of servers and adjacent services that hosted the distribution infrastructure of 21 malware families.

According to Europol and the Shadow Foundation, authorities did not include any details about Andromeda being hosted on the Avalanche network in last year's press releases.

They intentionally excluded any mention of Andromeda from news releases in order to keep the botnet under surveillance and gather more information needed for a proper takedown. For years, authorities had tried to take down the botnet, but failed due to insufficient data.

Andromeda operator arrested

The data they collected during this time was put to very good use. For starters, Europol says police arrested a man in Belarus who they suspect of running the main Andromeda's botnet. Even if police have not released the man's name, cyber-security firm Recorded Future believes to have identified the hacker, going online by the name of Ar3s.

Furthermore, investigators say they also seized and sinkholed Andromeda's seven main command-and-control (C&C) servers that were used to manage the botnet, and seized over 1,500 domain names that would have been used to host these servers for small periods of time.

These were crucial servers, as they managed over 460 smaller Andromeda botnets. This scattered structure was also one of the main reasons why authorities weren't able to take down Andromeda in the past, always missing a few of these servers, which were more than enough for Andromeda's operators to start anew.

Data from the first 48 hours after authorities sinkholed the C&C servers showed Andromeda's huge global scale. According to reports, Andromeda infected users in 223 countries, and over two million infected bots tried to connect to the seven C&C servers during that time.

While Necurs still holds the lead as the world's largest botnet, with an estimated size of 5 to 6 million bots per month, Andromeda was one of the largest botnets on the market.

Technical reports on Andromeda's infrastructure were published earlier today by the Shadow Foundation, Microsoft, and ESET.