Europol kills off shape-shifting 'Mystique' malware By Dan Simmons

Technology Reporter Published duration 9 April 2015

image copyright Getty Images image caption Like the Beebone malware, X-Men's Mystique - played by Jennifer Lawrence - morphs to take on other identities

Shapeshifting malware that changes its identity up to 19 times a day to avoid detection has been deactivated by Europe's Cybercrime Centre and the FBI.

At its height in September 2014 the malware, called Beebone, was controlling 100,000 computers a day.

Criminals used it to help steal passwords and download other programs to the infected computers.

Around 12,000 victims are being asked to use new online clean-up tools to remove it.

'Mystique-like' morphing

image copyright Thinkstock image caption Beebone downloaded other malware which could steal passwords and banking details

Once on a victim's computer, Beebone operates like a downloader application that can be controlled by the suspected criminal gangs behind the program.

It was used to force victims' PCs to fetch other malware from the internet including password stealers, ransomware, rootkits, and programs designed to take down legitimate websites.

Computer security firm Intel Security, which helped law enforcement agencies to stop the malware, said it had seen Beebone change its identity up to 19 times per day to avoid more traditional "signature detection" anti-virus methods.

Intel Security's chief technology officer Raj Samani told the BBC: "Beebone is highly sophisticated. It regularly changes its unique identifier, downloading a new version of itself, and can detect when it is being isolated, studied, or attacked.

"It can successfully block attempts to kill it."

Operation Beebone

Operation Beebone was carried out by the Joint Cybercrime Action Taskforce set up by the European Union to tackle cross-border internet crime. The team finally managed to tackle the malware by stopping it from connecting to servers on the net used to control and send it instructions.

Nearly 100 .com, .net, and .org domains have been "sinkholed" - the process by which traffic meant for specific IP addresses is redirected from suspected criminal-controlled sites to the investigating authorities. This allows detectives to "see" how the application behaves and to intercept requests for further instructions by the malicious software.

The FBI assisted in redirecting traffic from most of the sites being used by the gangs because they were operated from the United States and are under US jurisdiction.

The operation also involved private security firms Intel Security, Kaspersky Labs and Shadowserver. The taskforce now believes it has isolated the morphing malware so criminals can no longer make use of it.

Sustained threat

Head of operations at the European Cybercrime Centre, Paul Gillen told the BBC the agency would now look at whether those behind the attacks could be identified and brought to justice. He admitted the solution the taskforce had found was not a permanent one: "We can't sinkhole these domains forever. We need those infected to clean up their computers as soon as possible."

Several security vendors have created a free tool to remove the Beebone malware including F-Secure, TrendMicro, Symantec and Intel Security.

image copyright Europol image caption Symantec is one of several private security firms signed up to help EC3

But victims need to first realise they have the malware on their systems before they can download the removal tool.

Raj Samani said those who have the malware "will be notified by their internet service provider".

ISPs in each affected country will be handed a list of suspected victims to contact by the taskforce.

Dangerous threat

The Beebone malware was described by the Europol taskforce as "very sophisticated". Some security experts believe the consequences of the attack could have been much worse.

Portcullis Security in the UK advises various British government departments on cybersecurity issues. Its director, Paul Docherty, told the BBC:

"The fact that it [the malware] is complicated suggests that it could be used for more targeted attacks. If those responsible were able to harness similar difficult-to-detect code they could potentially move the point of attack from home users to corporate users or other entities which typically hold large amounts of sensitive, valuable data."

Mr Docherty said computer users should have anti-virus software installed and that it was essential that they kept it up-to-date. He warned against members of the public underestimating how valuable their computer might be to criminal hackers.

"There is still a general consensus that, It won't happen to me, I have nothing anyone could want. However, when you discuss with people what they actually use their technology for this changes very quickly."

Future challenge

The total number of computers infected by Beebone is relatively modest compared with some recent malware take-downs like GameOver Zeus. Security experts believe this is because the malware was not spread by mass emailing potential victims with poisoned internet links, an approach known as spearphishing. Intel Security said Beebone was more commonly spread through hardware like USB drives, or data discs.

Now remaining victims are being asked to clean up their computers as soon as possible.

Mr Samani said it is likely those who have Beebone on their computers "were likely to have a lot of other malware too because of the nature of Beebone as a malware downloader itself".

But there is another good reason why victims will want to move on quickly, says Mr Docherty: "Clean-up after infection could be complicated, as this [criminal] campaign has used a constantly changing (polymorphic) dropper to implant malware, it is possible that it has also installed code of a similar nature to re-enable access to the systems following clean-up."